Problem/Motivation
When accessing a one-time login link the referrer header for any third party assets will leak the link and if the user does not click the log in link it will be valid for the next 24 hours.
example STR:
Copied from bugcrowd. Approved by Drupal Security Team for public disclosure.
https://tracker.bugcrowd.com/submissions/6db83d94b58bee90091400154d37119...
You can see this vulnerability by:
1. Go to drupal.org in a logged-out browser
2. Request a password reset link
3. open developer tools in the browser
4. paste the password reset link into the browser
5. examine the request headers on the page assets before clicking "login"
I can reproduce this locally on Drupal 8 by embedding an image from the DA on my local site in a block.
Proposed resolution
When the user accesses a one-time login page, store the tokens in the session and redirect to a a bare URL with no tokens before rendering any HTML
Remaining tasks
decide on strategy
create patch
create tests
review
User interface changes
minor change in one-time login behavior
API changes
small change in behavior of one-time login links
Data model changes
none