From dc94f6e45a7d45747582cd0ab99439330cd844f1 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Thu, 11 Feb 2010 14:35:05 -0800
Subject: Include user name in logging message for failed password reset. As
 Bharat points out, t() ensures that parameters are escaped for XSS.

---
 modules/user/controllers/password.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'modules/user/controllers')

diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index c6d7e889..2f8dd990 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -49,7 +49,8 @@ class Password_Controller extends Controller {
   }
 
   private function _send_reset($form) {
-    $user = user::lookup_by_name($form->reset->inputs["name"]->value);
+    $user_name = $form->reset->inputs["name"]->value;
+    $user = user::lookup_by_name($user_name);
     if ($user && !empty($user->email)) {
       $user->hash = md5(rand());
       $user->save();
@@ -71,7 +72,8 @@ class Password_Controller extends Controller {
     } else if (!$user) {
       // Don't include the username here until you're sure that it's XSS safe
       log::warning(
-          "user", t("Password reset email requested for bogus user"));
+                   "user", t("Password reset email requested for user %user_name, which does not exist.",
+                             array("user_name" => $user_name)));
     } else  {
       log::warning(
           "user", t("Password reset failed for %user_name (has no email address on record).",
-- 
cgit v1.2.3