Opened 6 years ago

Closed 5 years ago

#10777 closed (fixed)

AuthenticationForm.is_valid after validation should reset password field for security reason

Reported by: trebor74hr Owned by: nobody
Component: contrib.auth Version: master
Severity: Keywords: security
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

When you use django.contrib.auth.views.login for login procedure it works like classic form:

  • GET - creates empty AuthenticationForm object
  • POST - validates usr/pwd against auth backend
  • POST - if ok then you're being logged in and redirected to somewhere
  • POST - if not ok - then you're again on the same page with information that credentials are not ok, and the form is already filled with username and password which you typed in on the page before.

In last case (POST FAIL) the password travels client->server->client. I think the last server->client travel is not needed and can be treated as security issue. Why to pre-fill the password field when it is false anyway, and why to expose password over the network twice, when it could be exposed only once. I didn't had time to investigate how to solve this exactly, but my suggestion is to do work on the AuthenticationForm.is_valid overridden method (can be seen in diff file I attach). Diff is against r1105.

Attachments (2)

20090410_auth_form_reset_pwd.diff (569 bytes) - added by trebor74hr 6 years ago.
Place where fix the problem
10777.diff (984 bytes) - added by SmileyChris 6 years ago.

Download all attachments as: .zip

Change History (8)

Changed 6 years ago by trebor74hr

Place where fix the problem

comment:1 Changed 6 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed
  • Version changed from 1.1-beta-1 to SVN

Here's the correct fix...

Changed 6 years ago by SmileyChris

comment:2 Changed 5 years ago by kc9ddi

Would strongly encourage adopting the suggested type of behavior. Not only is it potentially more secure, but it seems to be the most common behavior in use for most login forms users encounter on the internet.

comment:3 Changed 5 years ago by SmileyChris

Hi kc9ddi,

If you want to promote tickets, the django-dev google group is a better place to do it.

comment:4 Changed 5 years ago by trebor74hr

Is this duplicate to #13316?

comment:5 Changed 5 years ago by SmileyChris

Fixed in [13498]

comment:6 Changed 5 years ago by SmileyChris

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.
Back to Top