[Twisted-Python] Re: [Twisted-commits] "no such user" is too informative, no need to give attackers more information than necessary

Uwe C. Schroeder uwe at oss4u.com
Mon Apr 28 17:45:07 EDT 2003


It would already be helpful if there was a simple log entry, console message 
etc.  about this

On Monday 28 April 2003 01:41 pm, Bruce Mitchener wrote:
> itamarst CVS wrote:
> > Modified files:
> > Twisted/twisted/web/distrib.py 1.47 1.48
> >
> > Log message:
> > "no such user" is too informative, no need to give attackers more
> > information than necessary
>
> While there is good motivation for not making this public info, it seems
> like it would be a good thing to make this available to someone
> debugging the system, either by way of the log file or some other means.
>
> While not necessarily appropriate for Twisted, one approach that I've
> used well in the past (in my own webserver and web app software) was to
> have an error page that recognized authenticated users and would display
> generic errors to unknown or unauthorized users, and
> informative/descriptive errors to authorized people (as well as direct
> access to the web-based tools used to determine what went wrong and so on).
>
> Maybe some sort of policy framework might let that happen within Twisted
> or some other generalized logging infrastructure.  But at the least, it
> seems like this sort of info should be logged.
>
> Cheers,
>
>   - Bruce
>
> > ViewCVS links:
> > http://twistedmatrix.com/users/jh.twistd/viewcvs/cgi/viewcvs.cgi/twisted/
> >web/distrib.py.diff?r1=text&tr1=1.47&r2=text&tr2=1.48&cvsroot=Twisted
> >
> > Index: Twisted/twisted/web/distrib.py
> > diff -u Twisted/twisted/web/distrib.py:1.47
> > Twisted/twisted/web/distrib.py:1.48 ---
> > Twisted/twisted/web/distrib.py:1.47	Tue Dec  3 03:21:48 2002 +++
> > Twisted/twisted/web/distrib.py	Mon Apr 28 13:36:52 2003
> > @@ -230,10 +230,7 @@
> >              pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir,
> > pw_shell \ = pwd.getpwnam(username)
> >          except KeyError:
> > -            return error.ErrorPage(http.NOT_FOUND,
> > -                                   "No Such User",
> > -                                   "The user %s was not found on this
> > system." % -                                   repr(username))
> > +            return error.NoResource()
> >          if sub:
> >              twistdsock = os.path.join(pw_dir, self.userSocketName)
> >              rs = ResourceSubscription('unix',twistdsock)
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-- 
	UC

--
Open Source Solutions 4U, LLC	2570 Fleetwood Drive
Phone:  +1 650 872 2425		San Bruno, CA 94066
Cell:   +1 650 302 2405		United States
Fax:    +1 650 872 2417





More information about the Twisted-Python mailing list