[Django] #27352: Warn about social media fingerprinting when using redirect_authenticated_user

6 views
Skip to first unread message

Django

unread,
Oct 15, 2016, 3:29:11 PM10/15/16
to django-...@googlegroups.com
#27352: Warn about social media fingerprinting when using
redirect_authenticated_user
-------------------------------------+-------------------------------------
Reporter: Markus | Owner: Markus Holtermann
Holtermann |
Type: | Status: assigned
Cleanup/optimization |
Component: | Version: 1.10
Documentation |
Severity: Normal | Keywords:
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 1 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Public disclosure after talking with security team.

Django 1.10 introduced `redirect_authenticated_user` to the login views. A
report I came across the other day (https://robinlinus.github.io
/socialmedia-leak/) points out how that redirects on GET for authenticated
users can potentially be used to gain the login state of a user for a
site.

I believe we should warn users about that issue. Reverting
10781b4c6ff981f581157957d221e7621e0bf4ed (#12233) doesn't seem necessary
to me. It is a useful feature if you know you don't serve image files from
those domains.

--
Ticket URL: <https://code.djangoproject.com/ticket/27352>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Oct 15, 2016, 3:31:56 PM10/15/16
to django-...@googlegroups.com
#27352: Warn about social media fingerprinting when using
redirect_authenticated_user
-------------------------------------+-------------------------------------
Reporter: Markus Holtermann | Owner: Markus
Type: | Holtermann
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Markus Holtermann):

* needs_docs: 1 => 0
* has_patch: 0 => 1


Comment:

PR: https://github.com/django/django/pull/7403

--
Ticket URL: <https://code.djangoproject.com/ticket/27352#comment:1>

Django

unread,
Oct 17, 2016, 4:34:42 PM10/17/16
to django-...@googlegroups.com
#27352: Warn about social media fingerprinting when using
redirect_authenticated_user
-------------------------------------+-------------------------------------
Reporter: Markus Holtermann | Owner: Markus
Type: | Holtermann
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

* stage: Unreviewed => Ready for checkin


--
Ticket URL: <https://code.djangoproject.com/ticket/27352#comment:2>

Django

unread,
Oct 18, 2016, 11:39:31 AM10/18/16
to django-...@googlegroups.com
#27352: Warn about social media fingerprinting when using
redirect_authenticated_user
-------------------------------------+-------------------------------------
Reporter: Markus Holtermann | Owner: Markus
Type: | Holtermann
Cleanup/optimization | Status: closed
Component: Documentation | Version: 1.10
Severity: Normal | Resolution: fixed

Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230" b5fc192]:
{{{
#!CommitTicketReference repository=""
revision="b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230"
Fixed #27352 -- Doc'd social media fingerprinting consideration with
login's redirect_authenticated_user.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27352#comment:3>

Django

unread,
Oct 18, 2016, 6:01:21 PM10/18/16
to django-...@googlegroups.com
#27352: Warn about social media fingerprinting when using
redirect_authenticated_user
-------------------------------------+-------------------------------------
Reporter: Markus Holtermann | Owner: Markus
Type: | Holtermann
Cleanup/optimization | Status: closed
Component: Documentation | Version: 1.10
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"d3ca2907789c348bb132dfd112379df07db0cbbf" d3ca2907]:
{{{
#!CommitTicketReference repository=""
revision="d3ca2907789c348bb132dfd112379df07db0cbbf"
[1.10.x] Fixed #27352 -- Doc'd social media fingerprinting consideration
with login's redirect_authenticated_user.

Backport of b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230 from master
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27352#comment:4>

Reply all
Reply to author
Forward
0 new messages