On 4.1.2013 12:56, Martin Povolny wrote:
On Fri, Jan 04, 2013 at 09:04:52AM +0100, Vít Ondruch wrote:
...
However, what is more important is, that since your application secret token
is not that secret, i.e. it is published on github [2], cookies of Aeolus
could be faked [3]. Katello seems to do better in this area [4] (although it
was just quick look into code, not security audit :)). Please consider
narrowing this situation.
...
[2]
https://github.com/aeolusproject/conductor/blob/master/src/config/initializers/secret_token.rb#L23
[3]
http://biggestfool.tumblr.com/post/24049554541/reminder-secret-token-rb-is-named-so-for-a-reason
[4]
https://github.com/Katello/katello/blob/master/src/config/initializers/secret_token.rb
I suggest that Conductor should deal with the token the exactly same way Katello
does. See no problem in their approach.
+1.
First I totally freaked out, then pblaho showed me that aeolus-configure
changes the token every time it is run. It writes directly to the
secret_token.rb file. However, this is still a big problem if someone doesn't
run aeolus-configure for whatever reason. I think we should adopt the Katello's
solution.
J.
