[pydotorg-www] Editing LocalUserGroups

M.-A. Lemburg mal at egenix.com
Thu Nov 10 07:07:29 EST 2016 

On 10.11.2016 11:44, Xavier Combelle wrote:
> looks like a byte/unicode problem

This is likely, yes.

> I have little idea for the truncation but for the TypeError, looks like
> safe_str_equal seems the buggy one is
> a lot too much overkill, as it is very unlikely that someone would want
> to make a timing attack on captcha.
> 
> So I would suggest as a quick fix to replace safe_str_equal by a classic ==
> 
> A long term improvement would be to log the full stack trace on all
> exceptions

The truncation appears to be the result of this method:

http://hg.moinmo.in/moin/1.9/file/561b7a9c2bd9/MoinMoin/security/textcha.py#l175

which blindly removes characters from the question in combination
with this bug:

http://hg.moinmo.in/moin/1.9/diff/561b7a9c2bd9/MoinMoin/security/textcha.py

(hmac.new() defaults to MD5, but the ._extract_form_values() method
removes data based on the length of an SHA1 hash)

I guess it would be better to use a regexp for splitting off
the hash and timestamp.

I'll apply the fix for the hmac.new() manually now.

> Le 10/11/2016 à 10:42, M.-A. Lemburg a écrit :
>> I checked the logs. They are full of entries like these:
>>
>> [Thu Nov 10 08:06:36 2016] [error] 2016-11-10 08:06:36,257 INFO
>> MoinMoin.security.textcha:159 TextCha: failure (u='x.x.x.x', a='van',
>> re='[Never match for cheaters]', q='What is van Rossum's fir',
>> rsn='TypeError during signature check')
>>
>> Here's the associated code:
>>
>> http://hg.moinmo.in/moin/1.9/file/561b7a9c2bd9/MoinMoin/security/textcha.py#l129
>>
>> What's strange is the truncated question and the TypeError.
>>
>> I've put Thomas Waldmann on CC. Perhaps he can add some more
>> insights.
>>
>> Thomas: I have upgraded the moin installation to 1.9.9 and
>> we're getting lots of textcha errors since then. Questions
>> get truncated and TypeErrors appear to prevent any textcha
>> from succeeding, it seems.
>>
>> Any ideas ?
>>
>> Thanks,
> 
> 
> _______________________________________________
> pydotorg-www mailing list
> pydotorg-www at python.org
> https://mail.python.org/mailman/listinfo/pydotorg-www
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Nov 10 2016)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...           http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...           http://zope.egenix.com/
________________________________________________________________________

::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
                      http://www.malemburg.com/

More information about the pydotorg-www mailing list