#36901: Centralize mitigations against timing attacks targeting user enumeration
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Afenomamy
Type: | Status: assigned
Cleanup/optimization |
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls):
Certainly. The Security Team was concerned that the reason we missed CVE
2025-13473 -- the bug where Django wasn't running the password hasher once
for inactive users in the modwsgi handler -- was because of a DRY (Don't
Repeat Yourself) problem. Since there was no central utility encapsulating
"get active user and check password, or else run password hasher once".
That's what I meant here:
> A refactor in exposing this functionality in a central place that the
mod_wsgi auth handler could just call is worth exploring.
Could we refactor both ModelBackend and modwsgi handler (and possibly any
other places) to just call one utility encapsulating the security concept,
in case we need tweaks to it later.
--
Ticket URL: <https://code.djangoproject.com/ticket/36901#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019d43e8ec84-77857eb7-ca8a-4067-894f-adb66332a895-000000%40eu-central-1.amazonses.com.
