#36476: Homoglyph attacks
------------------------------+-----------------------------------------
Reporter: Mike Lissner | Type: Uncategorized
Status: new | Component: contrib.auth
Version: 5.1 | Severity: Normal
Keywords: unicode | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+-----------------------------------------
We have a vulnerability disclosure policy on our website and got a report
today that our system allows usernames with
[https://en.wikipedia.org/wiki/Homoglyph homoglyphs]such that somebody can
impersonate another user by using unicode characters. We use the django
auth system, so I thought I'd take this upstream a bit.
I'm did a little digging and didn't see anywhere this was discussed.
Two thoughts:
1. Is this something Django has thought about?
2. If we find a general solution for it (I haven't researched it yet), is
a PR to prevent homoglyphs welcome?
Thanks all!
--
Ticket URL: <https://code.djangoproject.com/ticket/36476>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/010701979f748024-4dab9d6e-3edd-4613-bf87-127257c9e7c2-000000%40eu-central-1.amazonses.com.
