Handling of reload pwd check #1191
Replies: 3 comments 2 replies
-
|
I agree that a RESTful approach should always have a response but I feel there is a security concern here. In a lot of cases, especially for larger Wheels apps, reloading the framework is resource intensive and may take a few minutes. My concern is that Bot attacks could use a 403 return to keep guessing whereas returning the 200 lets them think it worked. Now, I see your point that it also keeps the user guessing which isn't good. I only raise this point because of all the attacks we've dealt with, the 3 patterns of attack we see are:
I guess the correct way to deal with that would be to return a 403 and block the attacker after so many attempts but should that be a default for anyone who uses the framework? |
Beta Was this translation helpful? Give feedback.
-
|
@dbelanger yeah good point. TBH, having the reload mechanism just as a query rather than a route is perhaps less than ideal to start with. If it was handled by like A case in point we had an "issue" today (which got me onto this in the first place) and my first reaction was "right, I'm blocking that URL from the outside world completely", only to then firmly declare [I can't repeat it, but you know me and what it probably sounded like and how long it went on for] as I remembered it's a query parameter not a URL :-| Then I went to just override the method that dealt with it and... well... you saw my other thread... :-/ |
Beta Was this translation helpful? Give feedback.
-
|
TBH, alongside a dedicated URL, it really should be a POST request in production, as otherwise the query string can potentially end up in server logs (depending on the configuration of the server). |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
G'day again:
This code here in
onRequestStart:If that check fails, shouldn't one get a
403response, not just "ah well, we'll ignore all that".If a request has asked to do something, but the conditions for the request have not been met, it should not ignore things, it should respond with the appropriate
4xxstatus, right?--
Adam
Beta Was this translation helpful? Give feedback.
All reactions