[Twisted-Python] Re: [Twisted-commits] "no such user" is too informative, no need to give attackers more information than necessary

Bruce Mitchener bruce at cubik.org
Mon Apr 28 14:41:39 MDT 2003 

itamarst CVS wrote:
> Modified files:
> Twisted/twisted/web/distrib.py 1.47 1.48
> 
> Log message:
> "no such user" is too informative, no need to give attackers more information than necessary

While there is good motivation for not making this public info, it seems 
like it would be a good thing to make this available to someone 
debugging the system, either by way of the log file or some other means.

While not necessarily appropriate for Twisted, one approach that I've 
used well in the past (in my own webserver and web app software) was to 
have an error page that recognized authenticated users and would display 
generic errors to unknown or unauthorized users, and 
informative/descriptive errors to authorized people (as well as direct 
access to the web-based tools used to determine what went wrong and so on).

Maybe some sort of policy framework might let that happen within Twisted 
or some other generalized logging infrastructure.  But at the least, it 
seems like this sort of info should be logged.

Cheers,

  - Bruce

> ViewCVS links:
> http://twistedmatrix.com/users/jh.twistd/viewcvs/cgi/viewcvs.cgi/twisted/web/distrib.py.diff?r1=text&tr1=1.47&r2=text&tr2=1.48&cvsroot=Twisted
> 
> Index: Twisted/twisted/web/distrib.py
> diff -u Twisted/twisted/web/distrib.py:1.47 Twisted/twisted/web/distrib.py:1.48
> --- Twisted/twisted/web/distrib.py:1.47	Tue Dec  3 03:21:48 2002
> +++ Twisted/twisted/web/distrib.py	Mon Apr 28 13:36:52 2003
> @@ -230,10 +230,7 @@
>              pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell \
>                       = pwd.getpwnam(username)
>          except KeyError:
> -            return error.ErrorPage(http.NOT_FOUND,
> -                                   "No Such User",
> -                                   "The user %s was not found on this system." %
> -                                   repr(username))
> +            return error.NoResource()
>          if sub:
>              twistdsock = os.path.join(pw_dir, self.userSocketName)
>              rs = ResourceSubscription('unix',twistdsock)

More information about the Twisted-Python mailing list