Re: [Django] #35730: Enhance password reset security by signing 'uid' parameter instead of base64-encoding to prevent possible user count leakage

[Django]

#35730: Enhance password reset security by signing 'uid' parameter instead of
base64-encoding to prevent possible user count leakage
--------------------------------------+------------------------------------
     Reporter:  Remy                  |                    Owner:  Remy
         Type:  Cleanup/optimization  |                   Status:  assigned
    Component:  contrib.auth          |                  Version:  dev
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  1                     |      Needs documentation:  1
  Needs tests:  0                     |  Patch needs improvement:  1
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------
Comment (by Remy):

 Replying to [comment:5 Antoine Humbert]:
 > How does this address the uid leakage ? Signing is not encrypting. Even
 if signed, the uid is still present and clearly visible in the reset link.

 Indeed you're right, I initially thought signing would be an improvement
 over simple base64 encoding, but the signed string still exposes the uid
 in the reset link.

 What are our options from here?

 My guess is that encryption would be the solution for this kind of case.
 We could use the cryptography library to encrypt and decrypt the uid, with
 the encryption key derived from the `SECRET_KEY`. However, this would add
 a new dependency to Django, since cryptography isn’t part of the standard
 library.

 We could also implement a simple obfuscation method (like an XOR cipher),
 which avoids external dependencies but would be less secure.

 I am waiting on community guidance and feedback to help move forward with
 this issue.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35730#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070191bfe6c613-577c34c2-606c-4ab1-bfb0-d7858012ec81-000000%40eu-central-1.amazonses.com.