drupal-settings-json/currentPath is leaking user existence

Created on 28 June 2022, over 2 years ago

Updated 19 June 2023, over 1 year ago

Problem/Motivation

This module still leaves data that could be use to enumerate users. In this case its the value of DrupalSettings' currentPath.

Steps to reproduce

Install a fresh drupal:

# You just need php + composer
composer create-project drupal/recommended-project example.localhost -n
cd example.localhost
composer require drush/drush 
vendor/bin/drush si standard --locale=fr --db-url=sqlite://../drupal.sqlite -y

Download & enable the username_enumeration_prevention module:

composer require  drupal/username_enumeration_prevention
vendor/bin/drush en username_enumeration_prevention -y

Run Drupal with embed server :

vendor/bin/drush --quiet runserver 8888  &

Make a diff of the pages' source between a existing user and a non existing user (notice the value of currentPath):

 diff <(curl http://127.0.0.1:8888/user/1 -sv) <(curl http://127.0.0.1:8888/user/100 -sv)
...
<     <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","scriptPath":null,"pathPrefix":"","currentPath":"user\/1","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"fr"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxTrustedUrl":{"\/search\/node":true},"user":{"uid":0,"permissionsHash":"c693ecfe15f364491727ae2f803543c57ae831034238047f08998408675ec052"}}</script>
---
>     <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","scriptPath":null,"pathPrefix":"","currentPath":"","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"fr"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxTrustedUrl":{"\/search\/node":true},"user":{"uid":0,"permissionsHash":"c693ecfe15f364491727ae2f803543c57ae831034238047f08998408675ec052"}}</script>

Proposed resolution

Use hook_js_settings_alter to remove this info (or to set it to the requested path) on 404. Or return a fast 404 ?

Remaining tasks

Propose a patch
Update change

User interface changes

none

API changes

none

Data model changes

none

🐛 Bug report

Status

RTBC

Version

1.0

Component

Code

Created by

🇫🇷France O'Briat Nantes

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
System Message
O'Briat → closed merge request !3
Comment over 1 year ago →
🇫🇷France O'Briat Nantes
Status changed to RTBC over 1 year ago2:47pm 19 June 2023
Comment over 1 year ago →
🇦🇺Australia cafuego
Works as advertised. Thank you :-)
@obriat opened merge request.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024