Enumeration is still possible through /user/UID/shortcuts page [#3101457]

Comment #1

17 December 2019 at 06:39

Chi created an issue. See original summary.

Log in or register to post comments

Comment #2

nicksanta commented 24 May 2020 at 13:04

#2133887: Enumeration still possible through user pages added all routes using the user entity link template. This should include the shortcut module's routes.

Have you tested this on the 8.x-1.0 release?

Log in or register to post comments

Comment #3

nicksanta commented 25 May 2020 at 00:25

Status:

Active

» Postponed (maintainer needs more info)

Log in or register to post comments

Comment #4

chi commented 25 May 2020 at 04:34

Status:

Postponed (maintainer needs more info)

» Active

This should include the shortcut module's routes.

Those routes do not have registered links on user entity. I've just tested on 1.0. The issue still exist.

Log in or register to post comments

Comment #5

25 May 2020 at 11:00

nicksanta authored f0cd5a7 on 8.x-1.x

Issue #3101457: Enumeration is still possible through /user/UID/...

Log in or register to post comments

Comment #6

nicksanta commented 25 May 2020 at 11:01

Status:

Active

» Fixed

Fix merged in https://github.com/nicksantamaria/drupal-username_enumeration_prevention... - thanks for the report @Chi!

Log in or register to post comments

Comment #7

8 June 2020 at 11:04

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Log in or register to post comments

Enumeration is still possible through /user/UID/shortcuts page

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Referenced by

News items

Our community

Documentation

Drupal code base

Governance of community