Include user name in logging message for failed password reset. As Bharat points out, t() ensures that parameters are escaped for XSS.

author: Andy Staudacher <andy.st@gmail.com> 2010-02-11 14:35:05 -0800
committer: Andy Staudacher <andy.st@gmail.com> 2010-02-11 14:35:05 -0800
commit: dc94f6e45a7d45747582cd0ab99439330cd844f1 (patch)
tree: 5bad6040568e682eed81b6f1b9fc70af113859a4 /modules/user
parent: 6353a7c2decd62098ebc96951c38c9aade44fc4c (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index c6d7e889..2f8dd990 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -49,7 +49,8 @@ class Password_Controller extends Controller {
   }
 
   private function _send_reset($form) {
-    $user = user::lookup_by_name($form->reset->inputs["name"]->value);
+    $user_name = $form->reset->inputs["name"]->value;
+    $user = user::lookup_by_name($user_name);
     if ($user && !empty($user->email)) {
       $user->hash = md5(rand());
       $user->save();
@@ -71,7 +72,8 @@ class Password_Controller extends Controller {
     } else if (!$user) {
       // Don't include the username here until you're sure that it's XSS safe
       log::warning(
-          "user", t("Password reset email requested for bogus user"));
+                   "user", t("Password reset email requested for user %user_name, which does not exist.",
+                             array("user_name" => $user_name)));
     } else  {
       log::warning(
           "user", t("Password reset failed for %user_name (has no email address on record).",
author	Andy Staudacher <andy.st@gmail.com>	2010-02-11 14:35:05 -0800
committer	Andy Staudacher <andy.st@gmail.com>	2010-02-11 14:35:05 -0800
commit	dc94f6e45a7d45747582cd0ab99439330cd844f1 (patch)
tree	5bad6040568e682eed81b6f1b9fc70af113859a4 /modules/user
parent	6353a7c2decd62098ebc96951c38c9aade44fc4c (diff)