Package: buildd.debian.org X-Debbugs-Cc: [email protected] I checked the giveback.wsgi file (which I couldn't find in any public git repository over https://salsa.debian.org/wb-team btw), and noticed that you are not properly validating the client certificates.
domain = '@debian.org'
if not user.endswith(domain):
return ('This application is only accessible to {} account '
'holders. \u2717'.format(domain))
user = user[:-len(domain)]
That is *not* a proper check to see wether the certificate holder is a
DD. Examples of users with a @d.o certificate that are not DDs include:
* everybody with a guest account at DSA
* retired/removed DDs (as I don't _think_ the sso.d.o machiner
automatically revokes them, I'd be glad to be proved wrong on this
though)
All this stuff is already well documented at
https://wiki.debian.org/DebianSingleSignOn#A_word_on_the_two_A.27s
Currently the only sane, authoritative way to check whether a user is a
DD is using the nm.d.o public API (https://nm.debian.org/api/); a
somewhat less authoritative method is checking the status of the user in
ldap, but that might lag behind DAM decisions, etc.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
