[Twisted-Python] Re: [Twisted-commits] "no such user" is too informative, no need to give attackers more information than necessary
Uwe C. Schroeder
uwe at oss4u.com
Mon Apr 28 15:45:07 MDT 2003
It would already be helpful if there was a simple log entry, console message
etc. about this
On Monday 28 April 2003 01:41 pm, Bruce Mitchener wrote:
> itamarst CVS wrote:
> > Modified files:
> > Twisted/twisted/web/distrib.py 1.47 1.48
> >
> > Log message:
> > "no such user" is too informative, no need to give attackers more
> > information than necessary
>
> While there is good motivation for not making this public info, it seems
> like it would be a good thing to make this available to someone
> debugging the system, either by way of the log file or some other means.
>
> While not necessarily appropriate for Twisted, one approach that I've
> used well in the past (in my own webserver and web app software) was to
> have an error page that recognized authenticated users and would display
> generic errors to unknown or unauthorized users, and
> informative/descriptive errors to authorized people (as well as direct
> access to the web-based tools used to determine what went wrong and so on).
>
> Maybe some sort of policy framework might let that happen within Twisted
> or some other generalized logging infrastructure. But at the least, it
> seems like this sort of info should be logged.
>
> Cheers,
>
> - Bruce
>
> > ViewCVS links:
> > http://twistedmatrix.com/users/jh.twistd/viewcvs/cgi/viewcvs.cgi/twisted/
> >web/distrib.py.diff?r1=text&tr1=1.47&r2=text&tr2=1.48&cvsroot=Twisted
> >
> > Index: Twisted/twisted/web/distrib.py
> > diff -u Twisted/twisted/web/distrib.py:1.47
> > Twisted/twisted/web/distrib.py:1.48 ---
> > Twisted/twisted/web/distrib.py:1.47 Tue Dec 3 03:21:48 2002 +++
> > Twisted/twisted/web/distrib.py Mon Apr 28 13:36:52 2003
> > @@ -230,10 +230,7 @@
> > pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir,
> > pw_shell \ = pwd.getpwnam(username)
> > except KeyError:
> > - return error.ErrorPage(http.NOT_FOUND,
> > - "No Such User",
> > - "The user %s was not found on this
> > system." % - repr(username))
> > + return error.NoResource()
> > if sub:
> > twistdsock = os.path.join(pw_dir, self.userSocketName)
> > rs = ResourceSubscription('unix',twistdsock)
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
--
UC
--
Open Source Solutions 4U, LLC 2570 Fleetwood Drive
Phone: +1 650 872 2425 San Bruno, CA 94066
Cell: +1 650 302 2405 United States
Fax: +1 650 872 2417
More information about the Twisted-Python
mailing list