drupal-settings-json/currentPath is leaking user existence

Created on 28 June 2022, over 3 years ago

Updated 27 January 2023, over 2 years ago

Problem/Motivation

This module still leaves data that could be use to enumerate users. In this case its the value of DrupalSettings' currentPath.

Steps to reproduce

Install a fresh drupal:

# You just need php + composer
composer create-project drupal/recommended-project example.localhost -n
cd example.localhost
composer require drush/drush 
vendor/bin/drush si standard --locale=fr --db-url=sqlite://../drupal.sqlite -y

Download & enable the username_enumeration_prevention module:

composer require  drupal/username_enumeration_prevention
drush en username_enumeration_prevention -y

Make a diff of the pages' source between a existing user and a non existing user (notice the value of currentPath):

 diff <(curl http://127.0.0.1:8888/user/1 -sv) <(curl http://127.0.0.1:8888/user/100 -sv)
...
<     <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","scriptPath":null,"pathPrefix":"","currentPath":"user\/1","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"fr"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxTrustedUrl":{"\/search\/node":true},"user":{"uid":0,"permissionsHash":"c693ecfe15f364491727ae2f803543c57ae831034238047f08998408675ec052"}}</script>
---
>     <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","scriptPath":null,"pathPrefix":"","currentPath":"","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"fr"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxTrustedUrl":{"\/search\/node":true},"user":{"uid":0,"permissionsHash":"c693ecfe15f364491727ae2f803543c57ae831034238047f08998408675ec052"}}</script>

Proposed resolution

Use hook_js_settings_alter to remove this info (or to set it to the requested path) on 404. Or return a fast 404 ?

Remaining tasks

Propose a patch
Update change

User interface changes

none

API changes

none

Data model changes

none

🐛 Bug report

Status

Needs review

Version

1.2

Component

Code

Created by

🇫🇷France o'briat Nantes

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 2 years ago →
System Message
O'Briat → closed merge request !3
Comment over 2 years ago →
🇫🇷France o'briat Nantes
Status changed to RTBC over 2 years ago2:47pm 19 June 2023
Comment over 2 years ago →
🇦🇺Australia cafuego
Works as advertised. Thank you :-)
@obriat opened merge request.
Comment 7 months ago →
🇺🇦Ukraine vitalius2009
I added the patch for that, because MR is not applied due 2 years already.
Comment about 2 months ago →
🇫🇷France johnatas
Hey,

Thanks for your work.

I can confirm that I still encounter this issue with :

Drupal 11.2.2 and 11.2.3

username_enumeration_prevention 1.4.0

and that patch #9 does indeed fix the problem.

I’m proposing a patch with a reworked version that’s more “Drupal ≥11.1 friendly”, namely by using a class-based hook.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024