Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: return an empty profile page when not found #2680

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: return an empty profile page when not found #2680

wants to merge 1 commit into from

Conversation

miketheman
Copy link
Member

Description

Return an identical empty page to prevent user enumeration.

JacobCoffee
JacobCoffee reviewed Dec 27, 2024
View reviewed changes
users/views.py
try:
return super().get_object(queryset)
except Http404:
return AnonymousUser()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would returning an anonymous user make it known that a user doesn't exist and the malicious actor could continue enumerating over usernames?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initially, yes - since the HTML contents used to include the user's name in the <title> tag - that's been removed in the template.

I examined the HTML output of an existing vs anonymous user to confirm that the only difference is in the actual URL requested - nothing else.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I examined the HTML output of an existing vs anonymous user to confirm that the only difference is in the actual URL requested - nothing else.

non-blocking suggestion: If it's not too expensive in terms of effort, it would be good to add a test that does this.

@ewdurbin
Copy link
Member

I’m not positive we even need or use the public profile page. Removing unauthenticated access to this view entirely is likely the correct move.

@ewdurbin
Copy link
Member

ewdurbin commented Jan 2, 2025

On a little closer review, I think we should probably do away with the slugged URLs:

pythondotorg/users/urls.py

Lines 41 to 42 in 023121f

re_path(r'^(?P<slug>[-a-zA-Z0-9_\@\.+]+)/delete/$', views.UserDeleteView.as_view(), name='user_delete'),
re_path(r'^(?P<slug>[-a-zA-Z0-9_\@\.+]+)/$', views.UserDetail.as_view(), name='user_detail'),

and replace them with /users/profile/detail and /users/profile/delete, then add a test_func matching the UserDeleteView to the UserDetail view that allows people to view their own details only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JacobCoffee JacobCoffee JacobCoffee left review comments

@pradyunsg pradyunsg pradyunsg left review comments

@ewdurbin ewdurbin Awaiting requested review from ewdurbin ewdurbin is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@miketheman @ewdurbin @pradyunsg @JacobCoffee