I don't think we should mark the ticket as closed since we want to merge part of the open PR, the catch-all view.
On Fri, 8 Jan 2021 at 17:24, Markus Holtermann <i...@markusholtermann.eu> wrote: > Thanks you for bringing this up, Carlton. And thanks Jon for tackling the > issues. > > I concur with what has been said so far. Especially what James said, that > there are so many places where one possibly/maybe/theoretically could come > up with timing attacks. Mitigating the difference in response code behavior > (302 vs 404) seems like a sensible idea. > > But adding the append slash behavior to the Admin seems unnecessary. > Especially given the example Adam brought up. Maybe you want to post that > approach on the corresponding ticket, Adam, and close it as wontfix? > > Cheers, > > Markus > > On Thu, Jan 7, 2021, at 5:26 PM, Florian Apolloner wrote: > > > > > > On Thursday, January 7, 2021 at 2:16:57 PM UTC+1 carlton...@gmail.com > wrote: > > > 1. Add the catch-all view to admin to stop the unauthenticated > probing, as per the Security Teams initial idea, but not the > AdminSite.append_slash option. > > > 2. Don't even add the catch-all, and close the ticket as wontfix. > > > > I think the catch-all view is certainly a worthwhile addition, it is a > > low hanging fruit that makes fast probing if auth.user is installed > > impossible. > > > > > * It SEEMS to me that the catch-all view does serve it's purpose as as > the AdminSite.admin_view decorator redirects all non-staff requests equally > to login (whether they exist or not, because the catch-all view exists.) > This is prior to any per-view timing variation. (I think ๐) > > > > Technically you could already mount a timing attack because url > > resolving is not constant time, the first matching view wins :รพ > > > > Cheers, > > Florian > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Django developers (Contributions to Django itself)" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to django-developers+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/django-developers/03910826-32d4-44c9-a3d5-a35f984c05e7n%40googlegroups.com > < > https://groups.google.com/d/msgid/django-developers/03910826-32d4-44c9-a3d5-a35f984c05e7n%40googlegroups.com?utm_medium=email&utm_source=footer > >. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/a19773d6-4482-45b6-aaf0-08f08626b398%40www.fastmail.com > . > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM2W_cPF0df%2BfJ0yNxTjG57%3Di7ZdWegXcgOF9SsajKHbuw%40mail.gmail.com.
