It would already be helpful if there was a simple log entry, console message etc. about this On Monday 28 April 2003 01:41 pm, Bruce Mitchener wrote:

itamarst CVS wrote:

...

Modified files: Twisted/twisted/web/distrib.py 1.47 1.48

Log message: "no such user" is too informative, no need to give attackers more information than necessary

While there is good motivation for not making this public info, it seems like it would be a good thing to make this available to someone debugging the system, either by way of the log file or some other means.

While not necessarily appropriate for Twisted, one approach that I've used well in the past (in my own webserver and web app software) was to have an error page that recognized authenticated users and would display generic errors to unknown or unauthorized users, and informative/descriptive errors to authorized people (as well as direct access to the web-based tools used to determine what went wrong and so on).

Maybe some sort of policy framework might let that happen within Twisted or some other generalized logging infrastructure. But at the least, it seems like this sort of info should be logged.

Cheers,

- Bruce

...

ViewCVS links: http://twistedmatrix.com/users/jh.twistd/viewcvs/cgi/viewcvs.cgi/twisted/ web/distrib.py.diff?r1=text&tr1=1.47&r2=text&tr2=1.48&cvsroot=Twisted

Index: Twisted/twisted/web/distrib.py diff -u Twisted/twisted/web/distrib.py:1.47 Twisted/twisted/web/distrib.py:1.48 --- Twisted/twisted/web/distrib.py:1.47 Tue Dec 3 03:21:48 2002 +++ Twisted/twisted/web/distrib.py Mon Apr 28 13:36:52 2003 @@ -230,10 +230,7 @@ pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell \ = pwd.getpwnam(username) except KeyError: - return error.ErrorPage(http.NOT_FOUND, - "No Such User", - "The user %s was not found on this system." % - repr(username)) + return error.NoResource() if sub: twistdsock = os.path.join(pw_dir, self.userSocketName) rs = ResourceSubscription('unix',twistdsock)

_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-- UC -- Open Source Solutions 4U, LLC 2570 Fleetwood Drive Phone: +1 650 872 2425 San Bruno, CA 94066 Cell: +1 650 302 2405 United States Fax: +1 650 872 2417

It would already be helpful if there was a simple log entry, console message etc. about this On Monday 28 April 2003 01:41 pm, Bruce Mitchener wrote:

itamarst CVS wrote:

...

Modified files: Twisted/twisted/web/distrib.py 1.47 1.48

Log message: "no such user" is too informative, no need to give attackers more information than necessary

While there is good motivation for not making this public info, it seems like it would be a good thing to make this available to someone debugging the system, either by way of the log file or some other means.

While not necessarily appropriate for Twisted, one approach that I've used well in the past (in my own webserver and web app software) was to have an error page that recognized authenticated users and would display generic errors to unknown or unauthorized users, and informative/descriptive errors to authorized people (as well as direct access to the web-based tools used to determine what went wrong and so on).

Maybe some sort of policy framework might let that happen within Twisted or some other generalized logging infrastructure. But at the least, it seems like this sort of info should be logged.

Cheers,

- Bruce

...

ViewCVS links: http://twistedmatrix.com/users/jh.twistd/viewcvs/cgi/viewcvs.cgi/twisted/ web/distrib.py.diff?r1=text&tr1=1.47&r2=text&tr2=1.48&cvsroot=Twisted

Index: Twisted/twisted/web/distrib.py diff -u Twisted/twisted/web/distrib.py:1.47 Twisted/twisted/web/distrib.py:1.48 --- Twisted/twisted/web/distrib.py:1.47 Tue Dec 3 03:21:48 2002 +++ Twisted/twisted/web/distrib.py Mon Apr 28 13:36:52 2003 @@ -230,10 +230,7 @@ pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell \ = pwd.getpwnam(username) except KeyError: - return error.ErrorPage(http.NOT_FOUND, - "No Such User", - "The user %s was not found on this system." % - repr(username)) + return error.NoResource() if sub: twistdsock = os.path.join(pw_dir, self.userSocketName) rs = ResourceSubscription('unix',twistdsock)

_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-- UC -- Open Source Solutions 4U, LLC 2570 Fleetwood Drive Phone: +1 650 872 2425 San Bruno, CA 94066 Cell: +1 650 302 2405 United States Fax: +1 650 872 2417