From a2f368eb029c259517ea81a1e9bfad4032f6f21e Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Fri, 6 Mar 2026 14:40:45 +0700
Subject: [PATCH] fix(security): add missing return after redirect in
 resetPassword handler

http.Redirect only sets response headers; without return, handler execution
continued with empty login/token strings, potentially causing unexpected
LDAP queries and information leakage.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 reset.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/reset.go b/reset.go
index 87dfc76..f644507 100644
--- a/reset.go
+++ b/reset.go
@@ -9,6 +9,7 @@ import (
 func resetPassword(w http.ResponseWriter, r *http.Request) {
 	if len(r.URL.Query().Get("l")) == 0 || len(r.URL.Query().Get("t")) == 0 {
 		http.Redirect(w, r, "lost", http.StatusFound)
+		return
 	}
 
 	base := map[string]interface{}{