From 96ae555578c3b4df368092d71e07a6c4ddf8fbe9 Mon Sep 17 00:00:00 2001
From: JiaJia Ji <kingjia90@gmail.com>
Date: Tue, 14 Jan 2025 13:39:26 +0100
Subject: [PATCH] [Security]: Avoid user enumeration via reset password link
 (#808)

* fix potential email enumeration

* Update LoginController.php

* Update LoginController.php

* Update LoginController.php
---
 src/Controller/Admin/LoginController.php      |  9 ++-------
 templates/admin/login/lost_password.html.twig | 19 +++++--------------
 2 files changed, 7 insertions(+), 21 deletions(-)

diff --git a/src/Controller/Admin/LoginController.php b/src/Controller/Admin/LoginController.php
index ac93665a3b..b3f4e2a229 100644
--- a/src/Controller/Admin/LoginController.php
+++ b/src/Controller/Admin/LoginController.php
@@ -274,18 +274,13 @@ public function lostpasswordAction(
 
             if ($error) {
                 Logger::error('Lost password service: ' . $error);
+                //to avoid timing based enumeration
+                usleep(random_int(50,200));
             }
         }
 
         $csrfProtection->regenerateCsrfToken($request->getSession());
 
-        if ($error) {
-            $params['reset_error'] = 'Please make sure you are entering a correct input.';
-            if ($error === 'user_reset_password_too_many_attempts') {
-                $params['reset_error'] = 'Too many attempts. Please retry later.';
-            }
-        }
-
         return $this->render('@PimcoreAdmin/admin/login/lost_password.html.twig', $params);
     }
 
diff --git a/templates/admin/login/lost_password.html.twig b/templates/admin/login/lost_password.html.twig
index 5d89f286dc..57257e404b 100644
--- a/templates/admin/login/lost_password.html.twig
+++ b/templates/admin/login/lost_password.html.twig
@@ -3,20 +3,11 @@
 {% block content %}
 
     {% if app.request.method == 'POST' %}
-        {% if reset_error is not defined %}
-            <div class="text success">
-                {{ 'A temporary login link has been sent to your email address.'|trans([],'admin') }}
-                <br/>
-                {{ 'Please check your mailbox.'|trans([],'admin') }}
-            </div>
-        {% else %}
-            <div class="text error">
-                {{ 'An error occured when resetting password:'|trans([],'admin') }}
-                {{ reset_error|trans([],'admin') }}
-                <br/>
-                {{ 'Please retry again later or contact an administrator.'|trans([],'admin') }}
-            </div>
-        {% endif %}
+        <div class="text success">
+            {{ 'A temporary login link has been sent to your email address.'|trans([],'admin') }}
+            <br/>
+            {{ 'Please check your mailbox.'|trans([],'admin') }}
+        </div>
     {% else %}
         <div class="text info">
             {{ 'Enter your username and pimcore will send a login link to your email address'|trans([],'admin') }}