python/pythondotorgPublic

NotificationsYou must be signed in to change notification settings
Fork618
Star1.6k

fix: return an empty profile page when not found#2680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Open

miketheman wants to merge1 commit intopython:main

base:main

Choose a base branch

frommiketheman:miketheman/fix-empty-profile-page

Open

fix: return an empty profile page when not found#2680

miketheman wants to merge1 commit intopython:mainfrommiketheman:miketheman/fix-empty-profile-page

Conversation

Copy link

Member

miketheman commentedDec 27, 2024

Description

Return an identical empty page to prevent user enumeration.

fix: return an empty profile page when not found

9d5cfe0

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

miketheman requested review fromewdurbin andJacobCoffee ascode owners

December 27, 2024 19:45

JacobCoffee reviewed

Dec 27, 2024

View reviewed changes

users/views.py

		try:
		return super().get_object(queryset)
		except Http404:
		return AnonymousUser()

Copy link

Member

JacobCoffeeDec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Would returning an anonymous user make it known that a user doesn't exist and the malicious actor could continue enumerating over usernames?

Copy link

MemberAuthor

mikethemanDec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Initially, yes - since the HTML contents used to include the user's name in the<title> tag - that's been removed in the template.

I examined the HTML output of an existing vs anonymous user to confirm that the only difference is in the actual URL requested - nothing else.

Copy link

Member

pradyunsgDec 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I examined the HTML output of an existing vs anonymous user to confirm that the only difference is in the actual URL requested - nothing else.

non-blocking suggestion: If it's not too expensive in terms of effort, it would be good to add a test that does this.

Copy link

Member

ewdurbin commentedDec 27, 2024

I’m not positive we evenneed or use the public profile page. Removing unauthenticated access to this view entirely is likely the correct move.

Copy link

Member

ewdurbin commentedJan 2, 2025

On a little closer review, I think we should probably do away with the slugged URLs:

pythondotorg/users/urls.py

Lines 41 to 42 in023121f

	re_path(r'^(?P<slug>[-a-zA-Z0-9_\@\.+]+)/delete/$',views.UserDeleteView.as_view(),name='user_delete'),
	re_path(r'^(?P<slug>[-a-zA-Z0-9_\@\.+]+)/$',views.UserDetail.as_view(),name='user_detail'),

and replace them with/users/profile/detail and/users/profile/delete, then add a test_func matching the UserDeleteView to the UserDetail view that allows people to view their own details only.