Opened 2 hours ago

Last modified 71 minutes ago

#36901 assigned Cleanup/optimization

Centralize mitigations against timing attacks targeting user enumeration

Reported by: Jacob Walls Owned by: Sarah Boyce
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Jake Howard Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The patch for CVE 2025-13473 (3eb814e02a4c336866d4189fa0c24fd1875863ed) runs the default password hasher once in django.contrib.auth.handlers.modwsgi just like ModelBackend has done since #20760.

A refactor in exposing this functionality in a central place that the mod_wsgi auth handler could just call is worth exploring.

The Security Team decided against attempting that refactoring in a patch release.

Additional findings:

  • aauthenticate() still does manual extra hashing
  • verify_password() still does manual extra hashing
  • in the mod_wsgi auth handler, handling of custom user models lacking the "is_active" attribute should be clarified. It currently raises AttributeError, but to align with ModelBackend, we could change the semantic.

So, the acceptance requirements for this ticket would be something like:

  • no behavior changes
  • except for possibly the AttributeError edge case discussed above, if documented appropriately
  • reduce the number of calls to set_password("")
  • avoid coupling the modwsgi handler to ModelBackend

Another outcome would be a bit of work showing that this has pitfalls or isn't worth it.

Change History (2)

comment:1 by Jacob Walls, 2 hours ago

Owner: set to Sarah Boyce
Status: newassigned

Tentatively passing over to Sarah to evaluate if a good fit for the next Djangonaut Space session. Can return to the pool if not.

comment:2 by Jacob Walls, 71 minutes ago

Summary: Centralize mitigations against timing attacksCentralize mitigations against timing attacks targeting user enumeration
Note: See TracTickets for help on using tickets.
Back to Top