[python-committers] [Infrastructure] [Pydotorg] XSS security issue

Ezio Melotti ezio.melotti at gmail.com
Tue Jul 16 22:11:17 CEST 2013 

Hi,

On Mon, Jul 15, 2013 at 2:08 PM, R. David Murray <rdmurray at bitdance.com> wrote:
> On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord <michael at voidspace.org.uk> wrote:
>>
>> On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <mal at python.org> wrote:
>>
>> > Who would be the one to contact for issues like these ?
>> >
>> > The case is rather urgent, since the XSS can be used for stealing
>> > session cookies on *.python.org.
>> >
>> > The sorting by password issue is a more obscure one. Just removing
>> > the "feature" to sort by password should be enough to solve it.
>>
>> Technically it's an infrastructure issue (cc'd), but fixing the code of roundup is hardly their domain.
>>
>> Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, so he may have a better idea.
>>
>> We have a security mailing list but that is mainly intended for security issues in the language:
>>
>>       security at python.org <security at python.org>
>
> The OP also emailed security (which I heard about via IRC, I'm not
> on that list).
>
> Ezio is a Roundup developer, so he is indeed the best person to look
> at the XSS issue, since it is a Roundup problem and not specific to
> the Tracker.  I can take a look too but he is more knowledgeable
> than I about roundup itself.
>

I don't have time to look at this now, and it might take up to 2 weeks
before I find some time.
The fix is usually as simple as adding a call to escape() in the right
spot, but finding the right spot and testing that the fix works might
take some time.
Before doing this, our Roundup instance should be updated (1.5.0 has
been released recently, but AFAIK it doesn't included a fix for this).
FTR the issue has been reported upstream at
<http://issues.roundup-tracker.org/issue2550817>.

Best Regards,
Ezio Melotti

> There is another problem which is specific to our tracker and which is the
> bigger issue right at the moment.  We have a 'nobody' user with a blank
> password and Developer privileges.
>
> I'm about to go out, so I don't want to make a change that might break
> something right this moment, but anyone with the Coordinator role
> could take this on if they want to do it right now:  remove either the
> Developer role, or both roles, from that user and see what happens.
> I suspect that user should not exist at all, but I don't know for sure.
>
> --David

More information about the python-committers mailing list