Opened 10 years ago

Closed 10 years ago

Last modified 7 years ago

#7849 closed (fixed)

Admin site should authenticate before 404ing, to prevent detection of valid pages

Reported by: anonymous Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


This is a very trivial issue so feel free to ignore it, but:

It's possible to scope out the admin site structure by testing if a uri returns a login page or 404.

Would it be better to authenticate all requests, even if they result in a 404?

I suppose you'd just need to add a "match all" rule in the urls file and then return a 404 after authentication.

Change History (7)

comment:1 Changed 10 years ago by anonymous

This may not be the best way to do this, but I accomplish this for my whole site (including admin) by having a middleware class that redirects all requests(excluding the login and logout page) to the login page if the user is not logged in.

comment:2 Changed 10 years ago by shadow

Yea, it's easy enough to do if people are concerned.

I guess the question is whether it should be included as standard?

comment:3 Changed 10 years ago by Adrian Holovaty

Summary: Authenticate before 404Admin site should authenticate before 404ing, to prevent detection of valid pages
Triage Stage: UnreviewedAccepted

Yes. This should be the standard behavior. I could swear we used to do this -- looks like things have changed.

comment:4 Changed 10 years ago by Michael Radziej

milestone: 1.0

Bug -> 1.0 milestone.

comment:5 Changed 10 years ago by Bob Thomas <bthomas@…>

This works correctly for me in current SVN (after newforms-admin merge). The URL conf currently required:


matches everything, including invalid URLs.

comment:6 Changed 10 years ago by Karen Tracey

Resolution: fixed
Status: newclosed

Right, this has been fixed by newforms-admin merge. I can't get a 404 until I get past the login screen when I try to reach a bad admin url.

comment:7 Changed 7 years ago by Jacob

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top