Problem/Motivation
Usernames are somewhat important, especially for brute force attacks. Although the Drupal security team does not consider exposure of usernames a weakness, we should still make a best effort to add a capability to hide them.
Proposed resolution
Base the ability to view usernames off the "view label" entity access operation introduced in New 'view label' entity access operation added.
See also #849602-59: Update 'username' theme template to use 'view label' operation.
Remaining tasks
-
Data model changes
Original report by greggles
Usernames are somewhat important, especially for brute force attacks.
There are a few callbacks in contributed modules that let people see usernames that I would like to change to "access user profiles". We need core to be consistent on this front first, though.
theme_username currently does some access checking to determine whether or not to link to the profile. I suggest we also check to see whether or not the user should be allowed to see the username.
Comment | File | Size | Author |
---|---|---|---|
#95 | 849602-nr-bot.txt | 176 bytes | needs-review-queue-bot |
#87 | user-template-displayname-access-849602-87.patch | 9.82 KB | darvanen |
#53 | hide_usernames_from-849602-53.patch | 1.84 KB | hitesh-jain |
#50 | hide_usernames_from-849602-50.patch | 1.84 KB | hitesh-jain |
#44 | hide_usernames_from-849602-44.patch | 1.84 KB | hitesh-jain |
Comments
Comment #1
gregglesSlightly better title.
Comment #2
Dave ReidThere are other things not tied to access user profiles: showing the user picture in comments and nodes.
Comment #3
Damien Tournoud CreditAttribution: Damien Tournoud commentedHm? So what do you suggest we display if the user cannot see the user name?
Comment #4
Damien Tournoud CreditAttribution: Damien Tournoud commentedRough mock-up of the new node display:
Comment #5
greggles@Dave Reid: I think we could consider expanding this to hide the photo from people who don't have access user profiles.
@Damz: It's not so hard to imagine a real and reasonable value, so I guess your comment is really just a "-1".
I'd also be happy to have a new permission for this that defaults to on for anonymous (since access user profiles defaults to off).
Comment #6
ivanSB@drupal.orgEven "by (a registered user)" could be considered an information leak.
The current user profile is susceptible of information leakage too. I'm just writing a module that should hide users existence accordingly to their privacy setting.
Hiding their profile is a hack... you can return a 404 too late and still you've to drupal_set_title.
It should be possible to add permission checks much earlier to save resources so it would make even harder to guess uid existence comparing response time.
Then there is user_autocomplete...
Comment #7
Dave Reid@ivanSB: The autocomplete callback in user.module is restricted to the 'access user profiles' permission. Not sure what you're referring to.
Comment #8
ivanSB@drupal.orgI'm thinking to a more general problem... completely hide user existence... selectively.
I'm thinking about http://drupal.org/project/profile_privacy (that fortunately has already a D7 branch) and OG (or any other group management solution).
There is no standard way to set if a user would like to make its profile private or become completely anonymous and which details to show and if and how he want to be contacted (too broad but could be improved giving some "hooks" to other modules to change the visibility of profile fields).
There are other details that a user may wish to hide (last time logged in, update time, email, timezone, language...).
Dealing with these with a more uniform interface may make easier to eg. grant access to groups or cascading module modifications to these details.
eg if I want to prevent modules to link to a profile I've to redefine the theme('username'. Setting $object->uid=null in hook_nodeapi is risky, because something downstream may need it etc...
Maybe the authors of profile_privacy may share some insight and experience.
Comment #9
gregglesLet's really not drag this off-topic into something huge. It's a contentious enough topic on its own.
Comment #10
mr.baileysMarked #899650: Drupal should not reveal existence of registered specific email addresses to unauthorized users as duplicate.
Comment #11
aalapati CreditAttribution: aalapati commentedIssue with http://drupal.org/user/number - will display user details but in my site we restricted as "Access denied You are not authorized to access this page." with standard template format.
but in html source code display in
<body class="page not-front not-logged-in no-sidebars page-users-xxxxxxx section-users " >
This is issue reported in our security testing!
Comment #12
LarsKramer CreditAttribution: LarsKramer commentedMoving back to 8.x-dev
Comment #13
marthinal CreditAttribution: marthinal commentedhello ,
I think that when could increment security adding to core something like USERNAME and other field USER LOGIN NAME or something like at the register user form .I did it for drupal 6 with some form alters.In this case you can know the name but into the login form you ask for USER LOGIN NAME (or email if you want) and you increment the security.ALso we could hide emails and other things from permissions...
Comment #14
greggles@marthinal - see http://drupal.org/project/realname
Comment #15
penyaskitoI'd like to have this on D8, so I'll try to do something about it. Tagging as security btw.
Should this be on template_preprocess_username? Not sure if it could be too late on the page generation flow and it could be hijacked by a buggy theme. If that is OK, it could be as simple as adding a new permission, and not filling $variables['name] and $variables['name_raw'].
This is how this first patch starts.
Comment #16
penyaskitoIf it's the right path to follow, this will need tests.
Comment #18
penyaskitoFix at least the existing tests by adding the permission.
Comment #19
kfritscheOnly a minor issue making "an invisible user" configurable? Maybe cut-out "an", because "an" is maybe only needed for the info field.
But a more major issue would be, if the preprocess is the right place. I'm not sure about it, because themers can mess around with it, but I do not have a better idea yet.
On user load you can't work with user name on any other place.
On user view it only would affect the profile page.
Comment #21
penyaskitoAnother pending issue is that it shows: " invisible user (not verified) ". The "non verified" string is another info leak.
Comment #22
hefox CreditAttribution: hefox commentedHere's a different take on it.
A general issue is there is not a standard way to check for access on a user object, unlike nodes. So instead of adding a new permission specially for seeing usernames, this patch introduces a generic "access users" permission that acts like "access content" permission does for nodes, and a user_access_user function that acts like node_access does for node, and checks that.
Comment #24
hefox CreditAttribution: hefox commentedComment #25
Grayside CreditAttribution: Grayside commentedI like the symmetry, but shouldn't this follow #1696660: Add an entity access API for single entity access?
Comment #26
hefox CreditAttribution: hefox commentedHm, that and #777578: Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter() are extremly overlapping.
It could, but not without depedening on the other patch, and should be simple enough to change once/if #1696660: Add an entity access API for single entity access lands.
Comment #27
Grayside CreditAttribution: Grayside commentedEntity access and #1862752: Implement entity access API for users landed. Is this issue now duplicate?
Comment #28
mgiffordWould be great if we could bring this into D8.
Comment #29
alansaviolobo CreditAttribution: alansaviolobo commentedComment #33
mgiffordPatch applies nicely.
Comment #36
rpayanmWould be
$account = \Drupal::currentUser();
?Comment #37
oakulm CreditAttribution: oakulm as a volunteer commentedHere is a new approach to this issue. Patch at #29 is outdated by far and is using old D7 stuff. The naming of the "Invisible user" is to be discussed and if the string should be a variable or something else?
Comment #39
oakulm CreditAttribution: oakulm as a volunteer commentedHere is a new patch. Last one didn't remove the user id in markup.
Comment #42
hitesh-jain CreditAttribution: hitesh-jain at Acquia commentedComment #43
hitesh-jain CreditAttribution: hitesh-jain at Acquia commentedComment #44
hitesh-jain CreditAttribution: hitesh-jain at Acquia commentedApplied changes against 8.2.x branch and removing Needs Reroll tag as I could apply the patch, so no reroll is needed.
Comment #46
hitesh-jain CreditAttribution: hitesh-jain at Acquia commentedComment #48
hitesh-jain CreditAttribution: hitesh-jain at Acquia commentedComment #50
hitesh-jain CreditAttribution: hitesh-jain as a volunteer commentedCreating patch with 8.3.x branch and changing all the required items.
Comment #52
hitesh-jain CreditAttribution: hitesh-jain as a volunteer commentedComment #53
hitesh-jain CreditAttribution: hitesh-jain as a volunteer commentedComment #54
hitesh-jain CreditAttribution: hitesh-jain as a volunteer commentedComment #57
ivrh CreditAttribution: ivrh commentedSeeing a lot of sceptical comments and attempts to expand the scope. Would it be beneficial to update the issue story specifying that the patch is targeting the Username Enumeration vulnerability and not anything else.
Note for developers: the patch should alter the way Drupal sends 403 or 404 response in cases where an anonymous user is accessing a profile page for a user that exists in the system vs opposite. Currently it's possible to find out username existence based on response code (in particular with pathauto module redirecting to an aliased user profile page). I have described the problem in https://ivan.grynenko.com/username-enumeration-vulnerability-drupal
Note for sceptics: it's okay to have your own opinion on the issue, but please do not pollute this thread with discussions, do it somewhere else.
Comment #58
cilefen CreditAttribution: cilefen commentedMore similar discussions: https://www.drupal.org/node/1004778
Comment #59
dpiWe have an issue committed in Drupal 8.1 which introduced core use of a entity access "view label" operation. See New 'view label' entity access operation added.
Patch for this issue can be written to be based off this operation.
Per the original issue request, a contrib module is capable of mapping the access user profiles permission to "view label" operation using
hook_hook_entity_access
hooks. I don't think it would be correct default behaviour to hide user labels. We even have this fragment in\Drupal\user\UserAccessControlHandler
:New 'view label' entity access operation added introduces the string "- Restricted access -" for when access to view the label of an entity is restricted.
Comment #60
dpiFixed link
Comment #61
dpiComment #63
dpiAccess to view the the account label is now controlled by the entity 'view label' operation. This does not affect non-users.
This patch does not inherit code from previous efforts.
Comment #64
dpiWrong version, try again.
Comment #67
dpiQuick fix: fixed issue with new test not ordering expected tags alphabetically.
Interdiff with #64
Comment #71
vijaycs85Rerolling against 8.7.x.
Comment #73
dpiComment #74
dpiErgh
Comment #76
dpiReroll and fix deprecations
Comment #81
darvanenReroll in #71 missed the new UserTemplateTest.
I've rerolled from #67 for 9.2.x and I think I've captured the deprecations from #76 as well.
Let's see what the testbot says about it.
Comment #83
darvanenAh. Missed one.
This should fix 6 of the 7 errors - the other one... I'm not sure why that's happening.
Comment #85
anmolgoyal74 CreditAttribution: anmolgoyal74 at OpenSense Labs for DrupalFit commentedTried to fix the remaining failed cases.
Comment #87
darvanenNice one @anmolgoyal74.
The restricted user permission was being interrupted by the 'sub-admin' permission in the test setup. This change will make the test pass according to local testing but it needs someone else to take a good look at it to make sure I'm not breaking some logic, because I don't yet understand what that sub-admin test is doing.
Comment #89
mxr576I think we have bumped into the same problem ;S Maybe we should join our effort in the other issuer?
Comment #90
dpi@mxr576 that doesnt seem appropriate, this issue has a very concise scope. The solution for #3240913: Make username access configurable and not implicit allowed already exists, so perhaps it can be rescoped to a general initiative wherein the 'view label' operation is increasingly used.
Comment #91
mxr576But until username access is always allowed in Drupal core and access check is missing from several places, I see less value in solving the task at hand here. Yes, a contrib modules can minimally benefit from this fix although because usernames are not always printed with
'#theme' => 'username';
neither in core, nor in contrib modules, therefore, a proper fix cannot be provided on downstream projects either.Comment #95
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.