Race condition when creating new accounts
|Reported by:||anonymous||Owned by:||Steffen Hoffmann|
|Cc:||Ryan J Ollos||Trac Release:||0.12|
There is a race condition in AccountManagerPlugin that occurs when a user is creating a new account.
For the htfile backend, no file locking is ever done during the account creation process. For the db backend, the account creation process is spread across multiple transactions.
This means that one request can check to see if an account exists, not find it, start adding a new account, and then discover that another request already did the same thing (which results in it bombing out with an IntegrityError when trying to add the email, name, etc. to the database). Because of the order in which operations occur, this also means that the second request will wipe out the temporary password the first request created, which means the email the new user gets contains an invalid password.
Change History (7)
comment:6 Changed 4 years ago by
|Cc:||Ryan J Ollos added; anonymous removed|
|Severity:||normal → major|