[pydotorg-www] Editing LocalUserGroups
M.-A. Lemburg
mal at egenix.com
Thu Nov 10 07:07:29 EST 2016
On 10.11.2016 11:44, Xavier Combelle wrote:
> looks like a byte/unicode problem
This is likely, yes.
> I have little idea for the truncation but for the TypeError, looks like
> safe_str_equal seems the buggy one is
> a lot too much overkill, as it is very unlikely that someone would want
> to make a timing attack on captcha.
>
> So I would suggest as a quick fix to replace safe_str_equal by a classic ==
>
> A long term improvement would be to log the full stack trace on all
> exceptions
The truncation appears to be the result of this method:
http://hg.moinmo.in/moin/1.9/file/561b7a9c2bd9/MoinMoin/security/textcha.py#l175
which blindly removes characters from the question in combination
with this bug:
http://hg.moinmo.in/moin/1.9/diff/561b7a9c2bd9/MoinMoin/security/textcha.py
(hmac.new() defaults to MD5, but the ._extract_form_values() method
removes data based on the length of an SHA1 hash)
I guess it would be better to use a regexp for splitting off
the hash and timestamp.
I'll apply the fix for the hmac.new() manually now.
> Le 10/11/2016 à 10:42, M.-A. Lemburg a écrit :
>> I checked the logs. They are full of entries like these:
>>
>> [Thu Nov 10 08:06:36 2016] [error] 2016-11-10 08:06:36,257 INFO
>> MoinMoin.security.textcha:159 TextCha: failure (u='x.x.x.x', a='van',
>> re='[Never match for cheaters]', q='What is van Rossum's fir',
>> rsn='TypeError during signature check')
>>
>> Here's the associated code:
>>
>> http://hg.moinmo.in/moin/1.9/file/561b7a9c2bd9/MoinMoin/security/textcha.py#l129
>>
>> What's strange is the truncated question and the TypeError.
>>
>> I've put Thomas Waldmann on CC. Perhaps he can add some more
>> insights.
>>
>> Thomas: I have upgraded the moin installation to 1.9.9 and
>> we're getting lots of textcha errors since then. Questions
>> get truncated and TypeErrors appear to prevent any textcha
>> from succeeding, it seems.
>>
>> Any ideas ?
>>
>> Thanks,
>
>
> _______________________________________________
> pydotorg-www mailing list
> pydotorg-www at python.org
> https://mail.python.org/mailman/listinfo/pydotorg-www
>
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Experts (#1, Nov 10 2016)
>>> Python Projects, Coaching and Consulting ... http://www.egenix.com/
>>> Python Database Interfaces ... http://products.egenix.com/
>>> Plone/Zope Database Interfaces ... http://zope.egenix.com/
________________________________________________________________________
::: We implement business ideas - efficiently in both time and costs :::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
http://www.malemburg.com/
More information about the pydotorg-www
mailing list