Django / Auth：可以利用request.user并指向其他用户吗？ [英] Django/Auth: Can request.user be exploited and point to other user?

问题描述

假设我有一个表单，该表单在数据库中执行某些操作，并且需要通过POST发送的用户身份验证，在 request 中是否可能有人恶意更改了 user 为了利用系统？

Let's say i have a form that does something in database and requires user authentication that has been sent by POST, is it possible inside request someone evil to change the user in order to exploit the system?

下面的示例在数据库中创建一个项目，但需要一个登录用户。有人可以从django.recut.user 中发送其他用户的数据吗？

The following example creates an item in database but requires a logged in user. Can someone send other user's data in request.user?

from django.shortcuts import render, redirect
from django.contrib.auth.decorators import login_required
from items_core.models import Item
from items.forms import CreateItemForm
from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
@login_required
def create(request):
    errors = None
    if request.method == 'POST':
        form = CreateItemForm(request.POST)
        if form.is_valid():
            try:
                Item.objects.get(
                    name = form.cleaned_data['name'],
                    user = request.user
                    )
                errors = 'Item already exist. Please provide other name.'
            except Item.DoesNotExist:
                Item.objects.create(
                    name = form.cleaned_data['name'],
                    user = request.user
                    )

                return redirect('items:list')

        form = CreateItemForm()
    else:
        form = CreateItemForm()

    template = {
        'form':form, 
        'items':Item.objects.filter(user=request.user),
        'request':request,
        'errors':errors
        }

    return render(request, 'items/item_create.html', template)

谢谢！

推荐答案

request.user 对象的类型为 SimpleLazyObject ，由 auth中间件添加到

The request.user object is of type SimpleLazyObject which is added by the auth middleware to the requestobject.

SimpleLazyObject（LazyObject）：用于延迟th的实例化。包装好的类
在请求实际的登录用户时，将调用 get_user 方法。

SimpleLazyObject(LazyObject): is used to delay the instantiation of the wrapped class At the time of requesting the actual logged in user, get_user method gets called.

def get_user(request):
    if not hasattr(request, '_cached_user'):
        request._cached_user = auth.get_user(request)
    return request._cached_user

此处， auth.get_user（）会以这种方式进行验证：

Here, auth.get_user() would inturn validate this way:

backend_path = request.session[BACKEND_SESSION_KEY]
backend = load_backend(backend_path)
user = backend.get_user(user_id) or AnonymousUser()

因此，如果 request.user 对象被篡改，则此验证将失败，因为会话数据验证将失败

Hence if the request.user object is tampered with, this validation would fail as the session data validation would fail

这篇关于Django / Auth：可以利用request.user并指向其他用户吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！