#36901 (Centralize mitigations against timing attacks targeting user enumeration) – Django highlights that our handling of authentication differs when using the regular auth ModelBackend vs the modwsgi handler. In the past, this was the cause of a vulnerability.
Given the prevalence of modwsgi (or lack thereof), It’s unlikely the support needs to be in Django core, and could easily be extracted into a separate module. If modwsgi support was raised as a suggestion now, I doubt it would be accepted. This doesn’t avoid #36901, but it does reduce the amount of code to maintain in Django itself.
This could be a small stepping stone towards our version of PEP 594.
2 Likes
Yep, I’d support removing this from core (into an easily installable package) at this point. +1
I’d suggest that such a package is released with an explicit call for maintainers to step forward if they need it, or immediately marked as being supported only for (say) the current release, and then marked unmaintained/EOL. (Anyone can pick it up at any time.)
In favor, but there are some logistical challenges. Is this something that we put into a separate, less-well-maintained Django org repo? Do we see if we can coordinate it with Django Commons somehow? I think this is good target for figuring some of these questions out.
+1 for removing it.
There’s a precedent for moving things to packages in django-localflavor, which was previously extracted from django.contrib some time ago.
That said, the code is minimal: 66 lines. I am not sure it’s worth the effort of packaging and releasing, which will presumably mostly fall on the already-stretched Fellows.
Any potential maintainer will still have a chance to step forward, maybe through finding this forum thread, and release their own package.
1 Like