Default pattern "administrator" conflicts with ability to filter for users with role: "administrator"

backdrop-contrib / antiscan

Block bad crawlers automatically - module for Backdrop CMS.

GNU General Public License v2.0

1 stars 2 forks source link

Default pattern "administrator" conflicts with ability to filter for users with role: "administrator" #1

Closed herbdool closed 3 years ago

herbdool commented 3 years ago

With the default patterns in this module there's a really easy way to get banned. Just go to /admin/people/list?status=All&role=administrator&username= where it filters by the administrator role.

The quick fix is to remove administrator from the pattern list. But this item should probably not be in the default list.

Might be good to also have a whitelist to prevent some users from being banned, such as https://www.drupal.org/project/autoban has.

findlabnet commented 3 years ago

Thank you for testing, I've found already some other false positives - "fck" and "wp-*" can be found within hashed js/css paths. The quick fix to prevent it - start such defaults with opening slash, e.g. "/administrator", "/fck", "/wp-*" and so on.

Starting point for defining unblockable patterns already exist as variable named "path_noblock" with only one value "user/" but haven't GUI for add settings yet. I think is good idea to add this element.

findlabnet commented 3 years ago

Any suggestions for protected by default patterns? user/,admin/ ... more?

findlabnet commented 3 years ago

Resolved in new release.