Security issue with the tracker

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Security issue with the tracker

anatoly techtonik
Are there any good small Python libraries for making HTML safe out there?

http://goo.gl/D6ag1

Just to make sure that devs are aware of the problem, which was
reported more than 6 months ago, gain some traction and release fix
sooner. I am not sure what can you do with a stolen bugs.python.org
cookie as everything seems audited, but it is a good precedent for a
grant on Roundup security research.

Have a nice weekend.
--
anatoly t.
_______________________________________________
Python-Dev mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%2B1324100855712-1801473%40n6.nabble.com
Reply | Threaded
Open this post in threaded view
|

Re: Security issue with the tracker

anatoly techtonik
On Fri, Apr 13, 2012 at 9:23 PM, anatoly techtonik <[hidden email]> wrote:

> Are there any good small Python libraries for making HTML safe out there?
>
> http://goo.gl/D6ag1
>
> Just to make sure that devs are aware of the problem, which was
> reported more than 6 months ago, gain some traction and release fix
> sooner. I am not sure what can you do with a stolen bugs.python.org
> cookie as everything seems audited, but it is a good precedent for a
> grant on Roundup security research.
>
> Have a nice weekend.

Link to security report if you can help
http://issues.roundup-tracker.org/issue2550724
--
anatoly t.
_______________________________________________
Python-Dev mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%2B1324100855712-1801473%40n6.nabble.com
Reply | Threaded
Open this post in threaded view
|

Re: Security issue with the tracker

Éric Araujo-2
bugs.python.org already sanitizes the ok_message and Ezio already posted
a patch to the upstream bug tracker, so I don’t see what else we could do.

Also note that the Firefox extension NoScript blocks the XSS in this case.

Regards
_______________________________________________
Python-Dev mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%2B1324100855712-1801473%40n6.nabble.com
Reply | Threaded
Open this post in threaded view
|

Re: Security issue with the tracker

anatoly techtonik
On Fri, Apr 13, 2012 at 9:53 PM, Éric Araujo <[hidden email]> wrote:
> bugs.python.org already sanitizes the ok_message and Ezio already posted a
> patch to the upstream bug tracker, so I don’t see what else we could do.

I am +1 with Glyph that XSS protection in Roundup is an unreliable
hack. Ezio's patch just prolongs the agony - it doesn't make it
better. Code becomes less maintainable. There are two solutions to
that:

1. Use specialized library such as
http://pypi.python.org/pypi/MarkupSafe/ - benefits - easier
maintenance, to get future fixes without waiting until somebody will
have the time to test attacks on Roundup
2. Quote all HTML on server side and use alternative (wiki) markup for
message decorations
3. Do not allow HTML content to be injected through the URL

> Also note that the Firefox extension NoScript blocks the XSS in this case.

NoScripts blocks everything, doesn't it?
_______________________________________________
Python-Dev mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%2B1324100855712-1801473%40n6.nabble.com