#7263 closed (fixed)
Don't check that user has entered e-mail instead of username
| Reported by: | Valera Grishin | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Keywords: | nfa-blocker | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Current django/trunk/contrib/admin/views/decorators.py has function staff_member_required which checks whether user supplied an e-mail address instead of username in the login form.
If so and e-mail is found in the user database it will suggest (via error message) the user to use username instead. The error message will also show the username found by given e-mail.
Here is the code in the staff_member_required function:
if user is None:
message = ERROR_MESSAGE
if '@' in username:
# Mistakenly entered e-mail address instead of username? Look it up.
users = list(User.objects.filter(email=username))
if len(users) == 1:
message = _("Your e-mail address is not your username. Try '%s' instead.") % users[0].username
else:
# Either we cannot find the user, or if more than 1
# we cannot guess which user is the correct one.
message = _("Usernames cannot contain the '@' character.")
return _display_login_form(request, message)
This feature actually works as lookup and partially uncovers sensitive information. It can be used to:
- check whether certain e-mail exists (at all)
- check whether certain e-mail is registered (on certain site)
- find username by e-mail
In order to solve this issue the logic can be simplified as follows:
if user is None:
message = ERROR_MESSAGE
if '@' in username:
message = _("Usernames cannot contain the '@' character.")
return _display_login_form(request, message)
Corresponding patch is attached.
Attachments (1)
Change History (9)
by , 16 years ago
| Attachment: | secure_decorator.patch added |
|---|
comment:1 by , 16 years ago
There is also related #7259 which discusses another aspect of the same code.
comment:3 by , 16 years ago
| Keywords: | nfa-blocker added |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
This is a good idea; however, we have halted work on admin in favor of newforms-admin. Marking ticket for inclusion in newforms-admin.
comment:4 by , 16 years ago
| milestone: | → 1.0 alpha |
|---|
comment:5 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
follow-up: 7 comment:6 by , 14 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Still this security issue is not fixed.
I have my custom authentication backend, which stores email-like username in different table, and in auth.models.User table, username is something like: <id>@<authmethod>.
Every thing works ok, my custom authentication backend prevents users from logging in through auth.models.User username field, requiring user's email address as username. But when I try to log-in through Django admin login form, it shows my generated username, which should not be visible to anyone:
Your e-mail address is not your username. Try '1@email' instead.
If there is possibility to customize authentication, so why admin login form hardcodes that all usernames should not be emails? I suggest that this checking should be removed at all.
comment:7 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
patch