From 37e5dd3123b9f8f952d6b9d098f52658cf4ef684 Mon Sep 17 00:00:00 2001 From: Attila Date: Tue, 1 Jul 2025 17:23:24 +0200 Subject: [PATCH] Fixed circumventing blocking by appending whitespace to username (#248) --- defender/tests.py | 10 ++++++++++ defender/utils.py | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/defender/tests.py b/defender/tests.py index 5cee9a3..d2c1de9 100644 --- a/defender/tests.py +++ b/defender/tests.py @@ -1149,6 +1149,16 @@ class TestUtils(DefenderTestCase): "defender:blocked:username:johndoe", "blocked:username:"), "defender:blocked:username:johndoe") + def test_whitespace_block_circumvention(self): + username = "johndoe" + req = HttpRequest() + req.POST["username"] = f"{username} " # username with appended whitespace + req.META["HTTP_X_REAL_IP"] = "1.2.3.4" + + utils.block_username(username) + + self.assertTrue(utils.is_already_locked(req)) + class TestRedisConnection(TestCase): """ Test the redis connection parsing """ diff --git a/defender/utils.py b/defender/utils.py index 6b63fa7..3ab6241 100644 --- a/defender/utils.py +++ b/defender/utils.py @@ -195,7 +195,7 @@ def increment_key(key): def username_from_request(request): """ unloads username from default POST request """ if config.USERNAME_FORM_FIELD in request.POST: - return request.POST[config.USERNAME_FORM_FIELD][:255] + return request.POST[config.USERNAME_FORM_FIELD][:255].strip() return None