-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Security / UX of private pages using a shared password #10588
Comments
My suggestions for fixing:
If we want a more thorough fix, we could:
Personally, I think it's worth doing the full solution, as adding point 3 would remove the need for point 2. If we're going to ship a feature, we should make sure it's as secure as possible by default, whilst protecting users from a potential foot-gun. Happy to create a patch if that makes sense to others. |
We already capture who updates the privacy options in the audit log. In the screenshot, I added a password, then updated it. |
The feature isn't very secure and not intended to be used in situations that should be very secure. Therefore, the help text warning (point 2) is the most important. We should add it to the user interface (for content editors) and to the Wagtail documentation (for developers). Hashing the password could contribute to the false impression that this feature is secure. Do we want to go down this road? Maybe we should not hash the password, but make the intended use-case even more clear. Maybe:
This way, everybody could have the correct understanding of the intended use-case and implications. And don't miss use the feature for situations it isn't designed for. |
Great idea Coen, I think that clear communication and terminology could really help here. |
Why? It follows Wagtail's existing permissions model for pages (which ought to be secure), collects and compares passwords in a secure way, and correctly restricts access. Besides how the password is stored (and the lack of strength requirements), I'm not sure I see how it "isn't very secure"? |
AFAIK, the intended use case is to share the password between multiple people. I've never encountered anyone using this feature in any other way. And: shared passwords are insecure. I'm sure Python/Django/Wagtail code doing the permission checks is fine. To me the plain password storage fits the use-case. Password is just the wrong name for the field. Maybe: shared secret? This shared password feature is the lightest form of 'security'. Hashing the password is easy, but I'm against it, as it doesn't fit the intended use-case. It would be better to reword and show the password in the admin interface. This would make it clear that, if a developer needs something better, they have to use one of the other options, or roll their own. |
I agree with @allcaps - I think we should opt for a different name for the field and maybe add some documentation. If we want to enhance this further, we could add a button that generates a really long unique string. It's still a shared secret, insecure, but it makes it slightly easier for users to make this secret more complex. This could make the behaviour a bit closer to something like a public link for a Google Document. We could even use some of their wording about how 'anyone with this link can access this page'. |
|
OK - I have updated this issue's description to hopefully align with the agreed items. I have created three new issues:
And left two tasks as standalone on this issue (we may opt to do/not do these or split these later).
|
Just added #11640 to the main issue description, a new enhancement suggestion has come up to allow either disabling privacy features completely or having even more control over them. Input welcome on that issue. cc @RealOrangeOne |
Issue Summary
Wagtail's page privacy feature could be improved to communicate better to the user and provide ways for Wagtail installations to fine tune how the 'shared password' is created.
Is your proposal related to a problem?
Wagtail allows pages to be password protected as part of a feature called 'private pages'.
An admin can specify a password, which an end user must enter when visiting a page to view the page. The same functionality exists for documents. This feature was only really intended for low-security applications.
Whilst the implementation is fundamentally secure, is has a few small weaknesses:
password
can be be inferred to be 'secure' when it is not.Aside: CVE-2020-11037 ensures that verification of the password is not vulnerable to a timing attack.
Because the password validation implementation is secure, it's not possible to exploit any of the above weaknesses to bypass authentication, however people may be using this feature incorrectly, and so improvements should be made.
Describe the solution you'd like
The following items may be split to standalone issues for easier collaboration.
shared_password
to alleviate future concerns.Additional context
PASSWORD_REQUIRED_TEMPLATE
&DOCUMENT_PASSWORD_REQUIRED_TEMPLATE
#11368 covers the change of the password form for password protected pages to have aWAGTAIL_
prefixed setting name.The text was updated successfully, but these errors were encountered: