On Thursday, January 7, 2021 at 2:16:57 PM UTC+1 carlton...@gmail.com wrote:
> 1. Add the catch-all view to admin to stop the unauthenticated probing, as > per the Security Teams initial idea, but not the AdminSite.append_slash > option. > 2. Don't even add the catch-all, and close the ticket as wontfix. > I think the catch-all view is certainly a worthwhile addition, it is a low hanging fruit that makes fast probing if auth.user is installed impossible. * It SEEMS to me that the catch-all view does serve it's purpose as as the > AdminSite.admin_view decorator redirects all non-staff requests equally to > login (whether they exist or not, because the catch-all view exists.) This > is prior to any per-view timing variation. (I think ๐) Technically you could already mount a timing attack because url resolving is not constant time, the first matching view wins :รพ Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/03910826-32d4-44c9-a3d5-a35f984c05e7n%40googlegroups.com.
