[pydotorg-www] [Pydotorg] XSS security issue
Michael Foord
michael at voidspace.org.uk
Mon Jul 15 10:09:08 CEST 2013
On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <mal at python.org> wrote:
> Who would be the one to contact for issues like these ?
>
> The case is rather urgent, since the XSS can be used for stealing
> session cookies on *.python.org.
>
> The sorting by password issue is a more obscure one. Just removing
> the "feature" to sort by password should be enough to solve it.
Technically it's an infrastructure issue (cc'd), but fixing the code of roundup is hardly their domain.
Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, so he may have a better idea.
We have a security mailing list but that is mainly intended for security issues in the language:
security at python.org <security at python.org>
Michael
>
> On 15.07.2013 10:03, M.-A. Lemburg wrote:
>> Hi Thibault,
>>
>> thank you for reporting this.
>>
>> On 14.07.2013 22:26, Thibault Fevry wrote:
>>> Hello,
>>>
>>> First of all, I am sorry if this is not the right way I should have done
>>> this, I searched for an answer in devguide but could not come up with much
>>> better than this. It is also one of the first times I use a mailing-list so
>>> feel free to tell me if I do something wrong.
>>>
>>> It seems that there is an XSS issue in the bug tracker. I reported it at :
>>> http://psf.upfronthosting.co.za/roundup/meta/issue519 .From my (limited)
>>> experience and knowledge, these can sometimes be used to do more malicious
>>> code than what is displayed in the bug report, so that's why I use the
>>> mailing-list to try to get the issue corrected earlier.
>>>
>>> Thibault Févry.
>>>
>>>
>>>
>>> _______________________________________________
>>> Pydotorg mailing list
>>> Pydotorg at python.org
>>> http://mail.python.org/mailman/listinfo/pydotorg
>>>
>>
>
> --
> Marc-Andre Lemburg
> Director
> Python Software Foundation
> http://www.python.org/psf/
> _______________________________________________
> Pydotorg mailing list
> Pydotorg at python.org
> http://mail.python.org/mailman/listinfo/pydotorg
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html
More information about the pydotorg-www
mailing list