Opened 16 years ago

Closed 16 years ago

Last modified 12 years ago

#7849 closed (fixed)

Admin site should authenticate before 404ing, to prevent detection of valid pages

Reported by: anonymous Owned by: nobody
Component: contrib.admin Version: dev
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This is a very trivial issue so feel free to ignore it, but:

It's possible to scope out the admin site structure by testing if a uri returns a login page or 404.

Would it be better to authenticate all requests, even if they result in a 404?

I suppose you'd just need to add a "match all" rule in the urls file and then return a 404 after authentication.

Change History (7)

comment:1 by anonymous, 16 years ago

This may not be the best way to do this, but I accomplish this for my whole site (including admin) by having a middleware class that redirects all requests(excluding the login and logout page) to the login page if the user is not logged in.

comment:2 by shadow, 16 years ago

Yea, it's easy enough to do if people are concerned.

I guess the question is whether it should be included as standard?

comment:3 by Adrian Holovaty, 16 years ago

Summary: Authenticate before 404Admin site should authenticate before 404ing, to prevent detection of valid pages
Triage Stage: UnreviewedAccepted

Yes. This should be the standard behavior. I could swear we used to do this -- looks like things have changed.

comment:4 by Michael Radziej, 16 years ago

milestone: 1.0

Bug -> 1.0 milestone.

comment:5 by Bob Thomas <bthomas@…>, 16 years ago

This works correctly for me in current SVN (after newforms-admin merge). The URL conf currently required:

(r'admin/(.*)', admin.site.root),

matches everything, including invalid URLs.

comment:6 by Karen Tracey, 16 years ago

Resolution: fixed
Status: newclosed

Right, this has been fixed by newforms-admin merge. I can't get a 404 until I get past the login screen when I try to reach a bad admin url.

comment:7 by Jacob, 12 years ago

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top