Opened 3 months ago

Closed 3 months ago

#36476 closed Uncategorized (wontfix)

Homoglyph attacks

Reported by: Mike Lissner Owned by:
Component: contrib.auth Version: 5.1
Severity: Normal Keywords: unicode
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

We have a vulnerability disclosure policy on our website and got a report today that our system allows usernames with homoglyphssuch that somebody can impersonate another user by using unicode characters. We use the django auth system, so I thought I'd take this upstream a bit.

I'm did a little digging and didn't see anywhere this was discussed.

Two thoughts:

  1. Is this something Django has thought about?
  2. If we find a general solution for it (I haven't researched it yet), is a PR to prevent homoglyphs welcome?

Thanks all!

Change History (1)

comment:1 by David Sanders, 3 months ago

Resolution: wontfix
Status: newclosed

Hi Mike, thanks for the idea – seems like something worth at least discussing.

New feature requests aren't accepted unless discussed first – usually on the Django forum or more recently via the new-features repo: https://github.com/django/new-features/

Would you like to start a thread on either of those?

The ticket will become "wontfix" until accepted 👍

Note: See TracTickets for help on using tickets.
Back to Top