On Mon, Jul 15, 2013 at 9:33 AM, Brett Cannon <br...@python.org> wrote:
> > > > On Mon, Jul 15, 2013 at 8:08 AM, R. David Murray <rdmur...@bitdance.com>wrote: > >> On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord < >> mich...@voidspace.org.uk> wrote: >> > >> > On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <m...@python.org> wrote: >> > >> > > Who would be the one to contact for issues like these ? >> > > >> > > The case is rather urgent, since the XSS can be used for stealing >> > > session cookies on *.python.org. >> > > >> > > The sorting by password issue is a more obscure one. Just removing >> > > the "feature" to sort by password should be enough to solve it. >> > >> > Technically it's an infrastructure issue (cc'd), but fixing the code of >> roundup is hardly their domain. >> > >> > Ezio Melotti (cc'd) did a lot of work on the Python installation of >> roundup, so he may have a better idea. >> > >> > We have a security mailing list but that is mainly intended for >> security issues in the language: >> > >> > secur...@python.org <secur...@python.org> >> >> The OP also emailed security (which I heard about via IRC, I'm not >> on that list). >> >> Ezio is a Roundup developer, so he is indeed the best person to look >> at the XSS issue, since it is a Roundup problem and not specific to >> the Tracker. I can take a look too but he is more knowledgeable >> than I about roundup itself. >> >> There is another problem which is specific to our tracker and which is the >> bigger issue right at the moment. We have a 'nobody' user with a blank >> password and Developer privileges. >> >> I'm about to go out, so I don't want to make a change that might break >> something right this moment, but anyone with the Coordinator role >> could take this on if they want to do it right now: remove either the >> Developer role, or both roles, from that user and see what happens. >> I suspect that user should not exist at all, but I don't know for sure. >> > > That user is owned by Donald Stufft (cc'ed). I actually can't log in as > that user, though, so I think it might be a special user that you can't > gain access to. > Donald's reply (since his email is in the committers review queue): ---------------------------------------- I can't comment on python-commuters so my message didn't get through there (But did on Infrastructure). My Message: So I was able to log in to the "nobody" account without a password (Why is this even possible?). It gave me powers to edit users and some other shit. I added a password to the nobody account since these lists are publicly available and if I can get into that user so can others. I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care). -------- If you want to pass this through to python-comitters or something that's ok with me.
_______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
