Refs #35730: Encrypted 'uid’ parameter instead of base64-encoding to prevent possible user count leakage

django/contrib/auth/forms.py

@@ -10,8 +10,6 @@
 from django.core.exceptions import ValidationError
 from django.core.mail import EmailMultiAlternatives
 from django.template import loader
-from django.utils.encoding import force_bytes
-from django.utils.http import urlsafe_base64_encode
 from django.utils.text import capfirst
 from django.utils.translation import gettext
 from django.utils.translation import gettext_lazy as _
@@ -478,7 +476,7 @@ def save(
                 "email": user_email,
                 "domain": domain,
                 "site_name": site_name,
-                "uid": urlsafe_base64_encode(force_bytes(user.pk)),
+                "uid": token_generator.encrypt_uid(user.pk),
                 "user": user,
                 "token": token_generator.make_token(user),
                 "protocol": "https" if use_https else "http",

django/contrib/auth/tokens.py

@@ -1,8 +1,15 @@
+import hashlib
 from datetime import datetime
 
 from django.conf import settings
 from django.utils.crypto import constant_time_compare, salted_hmac
-from django.utils.http import base36_to_int, int_to_base36
+from django.utils.encoding import force_bytes, force_str
+from django.utils.http import (
+    base36_to_int,
+    int_to_base36,
+    urlsafe_base64_decode,
+    urlsafe_base64_encode,
+)
 
 
 class PasswordResetTokenGenerator:
@@ -128,5 +135,40 @@ def _now(self):
         # Used for mocking in tests
         return datetime.now()
 
+    def _xor_encrypt_decrypt(self, uid):
+        """
+        Performs XOR encryption/decryption on a uid to obfuscate
+        its value in the reset link.
+        This approach avoids adding a new dependency for encryption,
+        which is not natively part of Python's standard library.
+        The cypher key is a salted hash of the SECRET_KEY.
+        It is important that the cipher key is at least as long as the uid.
+        We use the SHA-512 hash algorithm to ensure a long enough cipher key (64 bytes)
+        to encrypt UUID4s (36 bytes) that might be used as primary key.
+        BigAutoField (the default primary key) is also supported since
+        it has a maximum size of 19 bytes. We cycle the key to also support the
+        unlikely scenario that the uid is longer than 64 bytes.
+        """
+        key = hashlib.sha512(force_bytes(f"{self.key_salt}{self.secret}")).digest()
+        uid_bytes = force_bytes(uid)
+        xor_ciphertext = bytes(
+            a ^ b for a, b in zip(uid_bytes, (key * (len(uid_bytes) // len(key) + 1)))
+        )
+        return xor_ciphertext
+
+    def encrypt_uid(self, uid):
+        """
+        Returns a XOR-encrypted user id for use in the password reset mechanism.
+        """
+        xor_ciphertext = self._xor_encrypt_decrypt(uid)
+        return urlsafe_base64_encode(xor_ciphertext)
+
+    def decrypt_uid(self, encrypted_uidb64):
+        """
+        Returns the decrypted user id given the base64-encoded encrypted user id.
+        """
+        xor_ciphertext = urlsafe_base64_decode(encrypted_uidb64)
+        return force_str(self._xor_encrypt_decrypt(xor_ciphertext))
+
 
 default_token_generator = PasswordResetTokenGenerator()

django/contrib/auth/views.py

@@ -298,9 +298,9 @@ def dispatch(self, *args, **kwargs):
         return self.render_to_response(self.get_context_data())
 
     def get_user(self, uidb64):
+        user = None
         try:
-            # urlsafe_base64_decode() decodes to bytestring
-            uid = urlsafe_base64_decode(uidb64).decode()
+            uid = self.token_generator.decrypt_uid(uidb64)
             user = UserModel._default_manager.get(pk=uid)
         except (
             TypeError,
@@ -309,7 +309,22 @@ def get_user(self, uidb64):
             UserModel.DoesNotExist,
             ValidationError,
         ):
-            user = None
+            pass
+
+        # Temporarily support the old format of uid base64-encoded as plain text
+        if user is None:
+            try:
+                uid = urlsafe_base64_decode(uidb64).decode()
+                user = UserModel._default_manager.get(pk=uid)
+            except (
+                TypeError,
+                ValueError,
+                OverflowError,
+                UserModel.DoesNotExist,
+                ValidationError,
+            ):
+                pass
+
         return user
 
     def get_form_kwargs(self):

docs/releases/5.2.txt

@@ -52,6 +52,8 @@ Minor features
 * The default iteration count for the PBKDF2 password hasher is increased from
   870,000 to 1,000,000.
 
+* The ``uid`` parameter in password reset emails is now obfuscated to prevent potential leakage of user count. This change hides the user's primary key (``user.pk``), which was previously only base64-encoded. The obfuscation is achieved using a simple XOR cipher.
+
 :mod:`django.contrib.contenttypes`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

tests/auth_tests/test_templates.py

@@ -12,7 +12,6 @@
 )
 from django.test import RequestFactory, TestCase, override_settings
 from django.urls import reverse
-from django.utils.http import urlsafe_base64_encode
 
 from .client import PasswordResetConfirmClient
 from .models import CustomUser
@@ -67,7 +66,7 @@ def test_password_reset_confirm_view_valid_token(self):
         client = PasswordResetConfirmClient()
         default_token_generator = PasswordResetTokenGenerator()
         token = default_token_generator.make_token(self.user)
-        uidb64 = urlsafe_base64_encode(str(self.user.pk).encode())
+        uidb64 = default_token_generator.encrypt_uid(self.user.pk)
         url = reverse(
             "password_reset_confirm", kwargs={"uidb64": uidb64, "token": token}
         )
@@ -87,7 +86,7 @@ def test_password_reset_confirm_view_error_title(self):
         client = PasswordResetConfirmClient()
         default_token_generator = PasswordResetTokenGenerator()
         token = default_token_generator.make_token(self.user)
-        uidb64 = urlsafe_base64_encode(str(self.user.pk).encode())
+        uidb64 = default_token_generator.encrypt_uid(self.user.pk)
         url = reverse(
             "password_reset_confirm", kwargs={"uidb64": uidb64, "token": token}
         )
@@ -106,7 +105,7 @@ def test_password_reset_confirm_view_custom_username_hint(self):
         client = PasswordResetConfirmClient()
         default_token_generator = PasswordResetTokenGenerator()
         token = default_token_generator.make_token(custom_user)
-        uidb64 = urlsafe_base64_encode(str(custom_user.pk).encode())
+        uidb64 = default_token_generator.encrypt_uid(custom_user.pk)
         url = reverse(
             "password_reset_confirm", kwargs={"uidb64": uidb64, "token": token}
         )

tests/auth_tests/test_views.py

@@ -15,6 +15,7 @@
     SetPasswordForm,
 )
 from django.contrib.auth.models import Permission, User
+from django.contrib.auth.tokens import PasswordResetTokenGenerator
 from django.contrib.auth.views import (
     INTERNAL_RESET_SESSION_TOKEN,
     LoginView,
@@ -35,7 +36,6 @@
 from django.test import Client, TestCase, modify_settings, override_settings
 from django.test.client import RedirectCycleError
 from django.urls import NoReverseMatch, reverse, reverse_lazy
-from django.utils.http import urlsafe_base64_encode
 
 from .client import PasswordResetConfirmClient
 from .models import CustomUser, UUIDUser
@@ -552,9 +552,10 @@ def _test_confirm_start(self):
         return super()._test_confirm_start()
 
     def test_confirm_invalid_uuid(self):
-        """A uidb64 that decodes to a non-UUID doesn't crash."""
+        """An encrypted non-UUID doesn't crash."""
         _, path = self._test_confirm_start()
-        invalid_uidb64 = urlsafe_base64_encode(b"INVALID_UUID")
+        default_token_generator = PasswordResetTokenGenerator()
+        invalid_uidb64 = default_token_generator.encrypt_uid("INVALID_UUID")
         first, _uuidb64_, second = path.strip("/").split("/")
         response = self.client.get(
             "/" + "/".join((first, invalid_uidb64, second)) + "/"