#34763 closed Bug (invalid)

Should we disallow URLs as user fields?

Reported by: Mike Lissner Owned by: nobody
Component: contrib.auth Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

We just got a vulnerability reported to us that an attacker can input a URL as the username when registering for our site. If they do, we send an email that says, essentially, "Hello, www.evil-url.com, please confirm your email address by clicking below..." Other places in the website where their username is shown could also be trouble, I suppose, too.

It's really not a bad vulnerability, but it's not great either, so I'm filing this publicly even though it's a security vulnerability, just barely.

We're going to address this in our websites, starting here:

https://github.com/freelawproject/bigcases2/issues/342

Would it be helpful to do it upstream in Django itself instead/also? We could probably help with that if so.

Change History (1)

comment:1 by Mariusz Felisiak, 17 months ago

Resolution: invalid
Status: newclosed

I can imagine situation when URLs in username are desirable. IMO, deciding for users in such cases is not a framework job. We shouldn't be so caring.

Note: See TracTickets for help on using tickets.
Back to Top