Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

fix: return an empty profile page when not found#2680

Open
miketheman wants to merge 1 commit intopython:main from
miketheman:miketheman/fix-empty-profile-page
Open

fix: return an empty profile page when not found #2680
miketheman wants to merge 1 commit intopython:main from
miketheman:miketheman/fix-empty-profile-page

Conversation

@miketheman
Copy link
Member

@miketheman miketheman commented Dec 27, 2024

Description

Return an identical empty page to prevent user enumeration.

 

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
try:
return super().get_object(queryset)
except Http404:
return AnonymousUser()
Copy link
Member

@JacobCoffee JacobCoffee Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would returning an anonymous user make it known that a user doesn't exist and the malicious actor could continue enumerating over usernames?

Copy link
Member Author

@miketheman miketheman Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initially, yes - since the HTML contents used to include the user's name in the <title> tag - that's been removed in the template.

I examined the HTML output of an existing vs anonymous user to confirm that the only difference is in the actual URL requested - nothing else.

JacobCoffee reacted with thumbs up emoji
Copy link
Member

@pradyunsg pradyunsg Dec 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I examined the HTML output of an existing vs anonymous user to confirm that the only difference is in the actual URL requested - nothing else.

non-blocking suggestion: If it's not too expensive in terms of effort, it would be good to add a test that does this.

Copy link
Member

I’m not positive we even need or use the public profile page. Removing unauthenticated access to this view entirely is likely the correct move.
JacobCoffee reacted with thumbs up emoji

Copy link
Member

ewdurbin commented Jan 2, 2025

On a little closer review, I think we should probably do away with the slugged URLs:

re_path(r'^(?P<slug>[-a-zA-Z0-9_\@\.+]+)/delete/$', views.UserDeleteView.as_view(), name='user_delete'),
re_path(r'^(?P<slug>[-a-zA-Z0-9_\@\.+]+)/$', views.UserDetail.as_view(), name='user_detail'),

and replace them with /users/profile/detail and /users/profile/delete, then add a test_func matching the UserDeleteView to the UserDetail view that allows people to view their own details only.
merwok reacted with thumbs up emoji

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JacobCoffee JacobCoffee JacobCoffee left review comments

@ewdurbin ewdurbin Awaiting requested review from ewdurbin

+1 more reviewer

@pradyunsg pradyunsg pradyunsg left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /