fix: don't expose user existence if visitor can't view users #12447
Conversation
|
Do we really want to do this? Can't guests just go to /register page and check if a username is already taken by trying out different usernames? |
|
Unlike just loading the user page, registration is much more likely to be protected by e.g. CAPTCHA than a normal page load, so checking that would be much more taxing on an attacker than a simple URL enumeration (and even without special protection, submitting a form with CSRF requires a bit more work from the attacker). I honestly can't say whether it's really important though, but it is a sort of non-obvious information leakage and I can see some scenarios where it could be useful (e.g. invite-only forum that's trying to only expose some announcement/information [like how to get an invite] topics to guests but hides most content and doesn't want to expose a user list). However, looking again at the issue it seems I solved Y instead of X - the actual problem the user is experiencing is high traffic from a malicious user, arguably a better solution there could be a rate limit... |
I agree with your explanation, the forum I use is protected by recaptcha so it would be extremely difficult for someone to test out if a username is taken that way. Unfortunately, that's all I can say for this matter as I'm not familiar with the technicalities behind this PR |
resolves #12432
This is a slightly hacky way to fix this, but I'm not entirely sure if there aren't any plugins depending on
exposeUid/exposeGroupNameshort-circuiting to a 404 on lack of the relevant value (which obvious solutions would need to change), while this ensures it still goes directly to 404 if the visitor has the relevant privilege while going to notAllowed otherwise.This way also required changes to just the middleware and not any of its consumers.
Also, this fixes the same issue for groups because the code was shared already.