Opened 2 months ago

Last modified 6 days ago

#35730 assigned Cleanup/optimization

Enhance password reset security by signing 'uid' parameter instead of base64-encoding to prevent possible user count leakage — at Version 1

Reported by: Remy Owned by:
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Remy, Carlton Gibson, Natalia Bidart, Simon Charette, Ülgen Sarıkavak Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: yes Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Remy)

When using Django’s default view for requesting a password reset, PasswordResetView, the PasswordResetForm’s save() method sends an email containing a uid parameter generated using urlsafe_base64_encode(force_bytes(user.pk)).

This results in the user’s email inbox containing a password reset link that indirectly reveals the user’s primary key (user.pk), which exposes information about how many users exist on any Django site that uses this default view.

Surely, organizations that design their entities with non-enumerable public identifiers (such as by using a UUIDField for the primary key) would not be affected by this, however as the issue is also addressed by other means, such as a secondary public identifier, or simply a careful app design, I would still think that many Django site owners who prefer to keep this information private are likely unaware that it’s being exposed through this native mechanism.

To prevent the leakage of the user.pk value by default, I replaced the base64 encoding with the signing of the user.pk value (PR https://github.com/django/django/pull/18539).

Change History (1)

comment:1 by Remy, 2 months ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top