On Mon, Jul 15, 2013 at 8:08 AM, R. David Murray <rdmur...@bitdance.com>wrote:
> On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord < > mich...@voidspace.org.uk> wrote: > > > > On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <m...@python.org> wrote: > > > > > Who would be the one to contact for issues like these ? > > > > > > The case is rather urgent, since the XSS can be used for stealing > > > session cookies on *.python.org. > > > > > > The sorting by password issue is a more obscure one. Just removing > > > the "feature" to sort by password should be enough to solve it. > > > > Technically it's an infrastructure issue (cc'd), but fixing the code of > roundup is hardly their domain. > > > > Ezio Melotti (cc'd) did a lot of work on the Python installation of > roundup, so he may have a better idea. > > > > We have a security mailing list but that is mainly intended for security > issues in the language: > > > > secur...@python.org <secur...@python.org> > > The OP also emailed security (which I heard about via IRC, I'm not > on that list). > > Ezio is a Roundup developer, so he is indeed the best person to look > at the XSS issue, since it is a Roundup problem and not specific to > the Tracker. I can take a look too but he is more knowledgeable > than I about roundup itself. > > There is another problem which is specific to our tracker and which is the > bigger issue right at the moment. We have a 'nobody' user with a blank > password and Developer privileges. > > I'm about to go out, so I don't want to make a change that might break > something right this moment, but anyone with the Coordinator role > could take this on if they want to do it right now: remove either the > Developer role, or both roles, from that user and see what happens. > I suspect that user should not exist at all, but I don't know for sure. > That user is owned by Donald Stufft (cc'ed). I actually can't log in as that user, though, so I think it might be a special user that you can't gain access to.
_______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
