Opened 7 years ago

Closed 7 years ago

Last modified 3 years ago

#7849 closed (fixed)

Admin site should authenticate before 404ing, to prevent detection of valid pages

Reported by: anonymous Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

This is a very trivial issue so feel free to ignore it, but:

It's possible to scope out the admin site structure by testing if a uri returns a login page or 404.

Would it be better to authenticate all requests, even if they result in a 404?

I suppose you'd just need to add a "match all" rule in the urls file and then return a 404 after authentication.

Change History (7)

comment:1 Changed 7 years ago by anonymous

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

This may not be the best way to do this, but I accomplish this for my whole site (including admin) by having a middleware class that redirects all requests(excluding the login and logout page) to the login page if the user is not logged in.

comment:2 Changed 7 years ago by shadow

Yea, it's easy enough to do if people are concerned.

I guess the question is whether it should be included as standard?

comment:3 Changed 7 years ago by adrian

  • Summary changed from Authenticate before 404 to Admin site should authenticate before 404ing, to prevent detection of valid pages
  • Triage Stage changed from Unreviewed to Accepted

Yes. This should be the standard behavior. I could swear we used to do this -- looks like things have changed.

comment:4 Changed 7 years ago by mir

  • milestone set to 1.0

Bug -> 1.0 milestone.

comment:5 Changed 7 years ago by Bob Thomas <bthomas@…>

This works correctly for me in current SVN (after newforms-admin merge). The URL conf currently required:

(r'admin/(.*)', admin.site.root),

matches everything, including invalid URLs.

comment:6 Changed 7 years ago by kmtracey

  • Resolution set to fixed
  • Status changed from new to closed

Right, this has been fixed by newforms-admin merge. I can't get a 404 until I get past the login screen when I try to reach a bad admin url.

comment:7 Changed 3 years ago by jacob

  • milestone 1.0 deleted

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top