#20078 closed Bug (fixed)
Users with change-user permission in the admin can use filtering to reveal password hash
| Reported by: | Jacob | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.5 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
?password__startswith=p // the hash is startswith p ?password__startswith=pd // the hash is startswith pd ?password__startswith=pdk // the hash is startswith pdk ?password__startswith=pdka // the hash is not startswith pdka ....
I can get the password hash in auth_user database.
We previously disallowed arbitrary lookups traversing to other models, but that was different because it bypassed the permissions system. In this case, only users who already have user-change perms (which already means they have full admin access, since they can set any user they want to superuser status and change their password) can potentially gain access to a user's current password hash (which itself is probably out of their capacity to break now that we use strong hashing).
Anssi points out it would be easy to just do this on UserAdmin:
def lookup_allowed(self, lookup, value):
if lookup.startswith('password'):
return False
return super(UserAdmin, self).lookup_allowed(lookup, value)
Change History (5)
comment:1 by , 11 years ago
comment:3 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
For purposes of credit - the original report was made by Orange Tsai <orange.8361@…>