Opened 10 months ago
Closed 10 months ago
#34763 closed Bug (invalid)
Should we disallow URLs as user fields?
| Reported by: | Mike Lissner | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 4.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
We just got a vulnerability reported to us that an attacker can input a URL as the username when registering for our site. If they do, we send an email that says, essentially, "Hello, www.evil-url.com, please confirm your email address by clicking below..." Other places in the website where their username is shown could also be trouble, I suppose, too.
It's really not a bad vulnerability, but it's not great either, so I'm filing this publicly even though it's a security vulnerability, just barely.
We're going to address this in our websites, starting here:
https://github.com/freelawproject/bigcases2/issues/342
Would it be helpful to do it upstream in Django itself instead/also? We could probably help with that if so.
I can imagine situation when URLs in username are desirable. IMO, deciding for users in such cases is not a framework job. We shouldn't be so caring.