Opened 3 months ago
Last modified 2 weeks ago
#35730 assigned Cleanup/optimization
Enhance password reset security by signing 'uid' parameter instead of base64-encoding to prevent possible user count leakage — at Version 1
| Reported by: | Remy | Owned by: | |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Remy, Carlton Gibson, Natalia Bidart, Simon Charette, Ülgen Sarıkavak | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | yes |
| Needs tests: | yes | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
When using Django’s default view for requesting a password reset, PasswordResetView, the PasswordResetForm’s save() method sends an email containing a uid parameter generated using urlsafe_base64_encode(force_bytes(user.pk)).
This results in the user’s email inbox containing a password reset link that indirectly reveals the user’s primary key (user.pk), which exposes information about how many users exist on any Django site that uses this default view.
Surely, organizations that design their entities with non-enumerable public identifiers (such as by using a UUIDField for the primary key) would not be affected by this, however as the issue is also addressed by other means, such as a secondary public identifier, or simply a careful app design, I would still think that many Django site owners who prefer to keep this information private are likely unaware that it’s being exposed through this native mechanism.
To prevent the leakage of the user.pk value by default, I replaced the base64 encoding with the signing of the user.pk value (PR https://github.com/django/django/pull/18539).