Thanks you for bringing this up, Carlton. And thanks Jon for tackling the issues.
I concur with what has been said so far. Especially what James said, that there are so many places where one possibly/maybe/theoretically could come up with timing attacks. Mitigating the difference in response code behavior (302 vs 404) seems like a sensible idea. But adding the append slash behavior to the Admin seems unnecessary. Especially given the example Adam brought up. Maybe you want to post that approach on the corresponding ticket, Adam, and close it as wontfix? Cheers, Markus On Thu, Jan 7, 2021, at 5:26 PM, Florian Apolloner wrote: > > > On Thursday, January 7, 2021 at 2:16:57 PM UTC+1 [email protected] wrote: > > 1. Add the catch-all view to admin to stop the unauthenticated probing, as > > per the Security Teams initial idea, but not the AdminSite.append_slash > > option. > > 2. Don't even add the catch-all, and close the ticket as wontfix. > > I think the catch-all view is certainly a worthwhile addition, it is a > low hanging fruit that makes fast probing if auth.user is installed > impossible. > > > * It SEEMS to me that the catch-all view does serve it's purpose as as the > > AdminSite.admin_view decorator redirects all non-staff requests equally to > > login (whether they exist or not, because the catch-all view exists.) This > > is prior to any per-view timing variation. (I think ๐) > > Technically you could already mount a timing attack because url > resolving is not constant time, the first matching view wins :รพ > > Cheers, > Florian > > -- > You received this message because you are subscribed to the Google > Groups "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/03910826-32d4-44c9-a3d5-a35f984c05e7n%40googlegroups.com > > <https://groups.google.com/d/msgid/django-developers/03910826-32d4-44c9-a3d5-a35f984c05e7n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a19773d6-4482-45b6-aaf0-08f08626b398%40www.fastmail.com.
