[Django] #36476: Homoglyph attacks
3 views
Skip to first unread message
Django
Jun 23, 2025, 9:01:48 PM6/23/25
to django-...@googlegroups.com
#36476: Homoglyph attacks
------------------------------+-----------------------------------------
Reporter: Mike Lissner | Type: Uncategorized
Status: new | Component: contrib.auth
Version: 5.1 | Severity: Normal
Keywords: unicode | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+-----------------------------------------
We have a vulnerability disclosure policy on our website and got a report
today that our system allows usernames with
[https://en.wikipedia.org/wiki/Homoglyph homoglyphs]such that somebody can
impersonate another user by using unicode characters. We use the django
auth system, so I thought I'd take this upstream a bit.
I'm did a little digging and didn't see anywhere this was discussed.
Two thoughts:
1. Is this something Django has thought about?
2. If we find a general solution for it (I haven't researched it yet), is
a PR to prevent homoglyphs welcome?
Thanks all!
--
Ticket URL: <https://code.djangoproject.com/ticket/36476>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
------------------------------+-----------------------------------------
Reporter: Mike Lissner | Type: Uncategorized
Status: new | Component: contrib.auth
Version: 5.1 | Severity: Normal
Keywords: unicode | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+-----------------------------------------
We have a vulnerability disclosure policy on our website and got a report
today that our system allows usernames with
[https://en.wikipedia.org/wiki/Homoglyph homoglyphs]such that somebody can
impersonate another user by using unicode characters. We use the django
auth system, so I thought I'd take this upstream a bit.
I'm did a little digging and didn't see anywhere this was discussed.
Two thoughts:
1. Is this something Django has thought about?
2. If we find a general solution for it (I haven't researched it yet), is
a PR to prevent homoglyphs welcome?
Thanks all!
--
Ticket URL: <https://code.djangoproject.com/ticket/36476>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jun 24, 2025, 1:08:35 AM6/24/25
to django-...@googlegroups.com
#36476: Homoglyph attacks
-------------------------------+--------------------------------------
Reporter: Mike Lissner | Owner: (none)
Type: Uncategorized | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Normal | Resolution: wontfix
Changes (by David Sanders):
* resolution: => wontfix
* status: new => closed
Comment:
Hi Mike, thanks for the idea – seems like something worth at least
discussing.
New feature requests aren't accepted unless discussed first – usually on
the Django forum or more recently via the new-features repo:
https://github.com/django/new-features/
Would you like to start a thread on either of those?
The ticket will become "wontfix" until accepted 👍
--
Ticket URL: <https://code.djangoproject.com/ticket/36476#comment:1>
-------------------------------+--------------------------------------
Reporter: Mike Lissner | Owner: (none)
Type: Uncategorized | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Normal | Resolution: wontfix
Keywords: unicode | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by David Sanders):
* resolution: => wontfix
* status: new => closed
Comment:
Hi Mike, thanks for the idea – seems like something worth at least
discussing.
New feature requests aren't accepted unless discussed first – usually on
the Django forum or more recently via the new-features repo:
https://github.com/django/new-features/
Would you like to start a thread on either of those?
The ticket will become "wontfix" until accepted 👍
--
Ticket URL: <https://code.djangoproject.com/ticket/36476#comment:1>
Reply all
Reply to author
Forward
0 new messages