Opened 3 months ago
Closed 3 months ago
#36476 closed Uncategorized (wontfix)
Homoglyph attacks
| Reported by: | Mike Lissner | Owned by: | |
|---|---|---|---|
| Component: | contrib.auth | Version: | 5.1 |
| Severity: | Normal | Keywords: | unicode |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
We have a vulnerability disclosure policy on our website and got a report today that our system allows usernames with homoglyphssuch that somebody can impersonate another user by using unicode characters. We use the django auth system, so I thought I'd take this upstream a bit.
I'm did a little digging and didn't see anywhere this was discussed.
Two thoughts:
- Is this something Django has thought about?
- If we find a general solution for it (I haven't researched it yet), is a PR to prevent homoglyphs welcome?
Thanks all!
Note:
See TracTickets
for help on using tickets.
Hi Mike, thanks for the idea – seems like something worth at least discussing.
New feature requests aren't accepted unless discussed first – usually on the Django forum or more recently via the new-features repo: https://github.com/django/new-features/
Would you like to start a thread on either of those?
The ticket will become "wontfix" until accepted 👍