This doesn't look like the actual fix but rather a follow-up refactor. I believe... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

thedanbob on Jan 28, 2024 | parent | context | favorite | on: Gitlab password reset bug leaves more than 5.3K se...

This doesn't look like the actual fix but rather a follow-up refactor. I believe the fix is here: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec43798...

    - recoverable.send_reset_password_instructions(to: email) if recoverable&.persisted?
    + recoverable.send_reset_password_instructions if recoverable&.persisted?

1oooqooq on Jan 28, 2024 | [–]

on GitHub, the fix would be adding a regex to ensure there was no list on the user supplied email.

progval on Jan 28, 2024 | | [–]

and making send_reset_password_instructions get the email addresses itself from the "recoverable" object.

alexpls on Jan 28, 2024 | [–]

Oh yeah, good pickup thanks!

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact