#7849 closed (fixed)
Admin site should authenticate before 404ing, to prevent detection of valid pages
| Reported by: | anonymous | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This is a very trivial issue so feel free to ignore it, but:
It's possible to scope out the admin site structure by testing if a uri returns a login page or 404.
Would it be better to authenticate all requests, even if they result in a 404?
I suppose you'd just need to add a "match all" rule in the urls file and then return a 404 after authentication.
Change History (7)
comment:1 by , 16 years ago
comment:2 by , 16 years ago
Yea, it's easy enough to do if people are concerned.
I guess the question is whether it should be included as standard?
comment:3 by , 16 years ago
| Summary: | Authenticate before 404 → Admin site should authenticate before 404ing, to prevent detection of valid pages |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
Yes. This should be the standard behavior. I could swear we used to do this -- looks like things have changed.
comment:5 by , 16 years ago
This works correctly for me in current SVN (after newforms-admin merge). The URL conf currently required:
(r'admin/(.*)', admin.site.root),
matches everything, including invalid URLs.
comment:6 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Right, this has been fixed by newforms-admin merge. I can't get a 404 until I get past the login screen when I try to reach a bad admin url.
This may not be the best way to do this, but I accomplish this for my whole site (including admin) by having a middleware class that redirects all requests(excluding the login and logout page) to the login page if the user is not logged in.