Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord wrote: > > On 15 Jul 2013, at 11:05, "M.-A. Lemburg" wrote: > > > Who would be the one to contact for issues like these ? > > > > The case is rather urgent, since the XSS can be used for stealing > > session cookies on *.python.org. > > > > The sorting by password issue is a more obscure one. Just removing > > the "feature" to sort by password should be enough to solve it. > > Technically it's an infrastructure issue (cc'd), but fixing the code of > roundup is hardly their domain. > > Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, > so he may have a better idea. > > We have a security mailing list but that is mainly intended for security > issues in the language: > > [email protected] The OP also emailed security (which I heard about via IRC, I'm not on that list). Ezio is a Roundup developer, so he is indeed the best person to look at the XSS issue, since it is a Roundup problem and not specific to the Tracker. I can take a look too but he is more knowledgeable than I about roundup itself. There is another problem which is specific to our tracker and which is the bigger issue right at the moment. We have a 'nobody' user with a blank password and Developer privileges. I'm about to go out, so I don't want to make a change that might break something right this moment, but anyone with the Coordinator role could take this on if they want to do it right now: remove either the Developer role, or both roles, from that user and see what happens. I suspect that user should not exist at all, but I don't know for sure. --David ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On Mon, Jul 15, 2013 at 8:08 AM, R. David Murray wrote: > On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord < > [email protected]> wrote: > > > > On 15 Jul 2013, at 11:05, "M.-A. Lemburg" wrote: > > > > > Who would be the one to contact for issues like these ? > > > > > > The case is rather urgent, since the XSS can be used for stealing > > > session cookies on *.python.org. > > > > > > The sorting by password issue is a more obscure one. Just removing > > > the "feature" to sort by password should be enough to solve it. > > > > Technically it's an infrastructure issue (cc'd), but fixing the code of > roundup is hardly their domain. > > > > Ezio Melotti (cc'd) did a lot of work on the Python installation of > roundup, so he may have a better idea. > > > > We have a security mailing list but that is mainly intended for security > issues in the language: > > > > [email protected] > > The OP also emailed security (which I heard about via IRC, I'm not > on that list). > > Ezio is a Roundup developer, so he is indeed the best person to look > at the XSS issue, since it is a Roundup problem and not specific to > the Tracker. I can take a look too but he is more knowledgeable > than I about roundup itself. > > There is another problem which is specific to our tracker and which is the > bigger issue right at the moment. We have a 'nobody' user with a blank > password and Developer privileges. > > I'm about to go out, so I don't want to make a change that might break > something right this moment, but anyone with the Coordinator role > could take this on if they want to do it right now: remove either the > Developer role, or both roles, from that user and see what happens. > I suspect that user should not exist at all, but I don't know for sure. > That user is owned by Donald Stufft (cc'ed). I actually can't log in as that user, though, so I think it might be a special user that you can't gain access to. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On Mon, Jul 15, 2013 at 9:33 AM, Brett Cannon wrote: > > > > On Mon, Jul 15, 2013 at 8:08 AM, R. David Murray wrote: > >> On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord < >> [email protected]> wrote: >> > >> > On 15 Jul 2013, at 11:05, "M.-A. Lemburg" wrote: >> > >> > > Who would be the one to contact for issues like these ? >> > > >> > > The case is rather urgent, since the XSS can be used for stealing >> > > session cookies on *.python.org. >> > > >> > > The sorting by password issue is a more obscure one. Just removing >> > > the "feature" to sort by password should be enough to solve it. >> > >> > Technically it's an infrastructure issue (cc'd), but fixing the code of >> roundup is hardly their domain. >> > >> > Ezio Melotti (cc'd) did a lot of work on the Python installation of >> roundup, so he may have a better idea. >> > >> > We have a security mailing list but that is mainly intended for >> security issues in the language: >> > >> > [email protected] >> >> The OP also emailed security (which I heard about via IRC, I'm not >> on that list). >> >> Ezio is a Roundup developer, so he is indeed the best person to look >> at the XSS issue, since it is a Roundup problem and not specific to >> the Tracker. I can take a look too but he is more knowledgeable >> than I about roundup itself. >> >> There is another problem which is specific to our tracker and which is the >> bigger issue right at the moment. We have a 'nobody' user with a blank >> password and Developer privileges. >> >> I'm about to go out, so I don't want to make a change that might break >> something right this moment, but anyone with the Coordinator role >> could take this on if they want to do it right now: remove either the >> Developer role, or both roles, from that user and see what happens. >> I suspect that user should not exist at all, but I don't know for sure. >> > > That user is owned by Donald Stufft (cc'ed). I actually can't log in as > that user, though, so I think it might be a special user that you can't > gain access to. > Donald's reply (since his email is in the committers review queue): I can't comment on python-commuters so my message didn't get through there (But did on Infrastructure). My Message: So I was able to log in to the "nobody" account without a password (Why is this even possible?). It gave me powers to edit users and some other shit. I added a password to the nobody account since these lists are publicly available and if I can get into that user so can others. I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care). If you want to pass this through to python-comitters or something that's ok with me. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On Mon, 15 Jul 2013 08:22:40 -0400, Donald Stufft wrote: > So I was able to log in to the "nobody" account without a password > (Why is this even possible?). It gave me powers to edit users and some > other shit. I added a password to the nobody account since these lists > are publicly available and if I can get into that user so can others. Ah, I didn't realize you could edit users (I thought that was Coordinator role) or I would have changed the password myself. > I will make the password available to whoever is in charge, (Or they > can just change the password themselves I don't care). I think the user should just be retired. My guess is that it dates from a time when we were less worried about bad actors coming in and trashing things just for the fun of it. What I don't know is if there is some script somewhere depending on it being a valid user. For now, I've removed its access roles, and we'll see if anything breaks. --David ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On 2013-07-15 17:16, R. David Murray wrote: I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care). I think the user should just be retired. My guess is that it dates from a time when we were less worried about bad actors coming in and trashing things just for the fun of it. What I don't know is if there is some script somewhere depending on it being a valid user. For now, I've removed its access roles, and we'll see if anything breaks. Isn't it the user for automatic Roundup updates from hg pushes? Regards Antoine. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On 15 Jul, 2013, at 18:02, Antoine Pitrou wrote: > On 2013-07-15 17:16, R. David Murray wrote: >>> I will make the password available to whoever is in charge, (Or they >>> can just change the password themselves I don't care). >> I think the user should just be retired. My guess is that it dates from >> a time when we were less worried about bad actors coming in and trashing >> things just for the fun of it. What I don't know is if there is some >> script somewhere depending on it being a valid user. For now, I've >> removed its access roles, and we'll see if anything breaks. > > Isn't it the user for automatic Roundup updates from hg pushes? I've checked in a change just now and that message still ends up on the tracker. Ronald ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On Mon, 15 Jul 2013 18:02:35 +0200, Antoine Pitrou wrote: > On 2013-07-15 17:16, R. David Murray wrote: > > > >> I will make the password available to whoever is in charge, (Or they > >> can just change the password themselves I don't care). > > > > I think the user should just be retired. My guess is that it dates > > from > > a time when we were less worried about bad actors coming in and > > trashing > > things just for the fun of it. What I don't know is if there is some > > script somewhere depending on it being a valid user. For now, I've > > removed its access roles, and we'll see if anything breaks. > > Isn't it the user for automatic Roundup updates from hg pushes? No, that one is python-dev. Push updates are still working. --David ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
[python-committers] I would suggest not pushing or pulling from the repo
I accidently pushed a merge from 3.3 to default in the "3.3" branch. I think I'm going to have to strip it. -- Regards, Benjamin ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] I would suggest not pushing or pulling from the repo
The other option is you could 'close' the unwanted head and create a new head at the point before the unwanted merge. > -Original Message- > From: python-committers [mailto:python-committers- > [email protected]] On Behalf Of Benjamin Peterson > Sent: Monday, 15 July, 2013 23:08 > To: python-committers > Subject: [python-committers] I would suggest not pushing or pulling from > the repo > > I accidently pushed a merge from 3.3 to default in the "3.3" branch. I think I'm > going to have to strip it. > > -- > Regards, > Benjamin > ___ > python-committers mailing list > [email protected] > http://mail.python.org/mailman/listinfo/python-committers smime.p7s Description: S/MIME cryptographic signature ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] I would suggest not pushing or pulling from the repo
There's no unwanted head to close. It's all on the 3.3 branch. 2013/7/15 Jason R. Coombs : > The other option is you could 'close' the unwanted head and create a new > head at the point before the unwanted merge. > >> -Original Message- >> From: python-committers [mailto:python-committers- >> [email protected]] On Behalf Of Benjamin Peterson >> Sent: Monday, 15 July, 2013 23:08 >> To: python-committers >> Subject: [python-committers] I would suggest not pushing or pulling from >> the repo >> >> I accidently pushed a merge from 3.3 to default in the "3.3" branch. I > think I'm >> going to have to strip it. >> >> -- >> Regards, >> Benjamin >> ___ >> python-committers mailing list >> [email protected] >> http://mail.python.org/mailman/listinfo/python-committers -- Regards, Benjamin ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
[python-committers] IMPORTANT: Strip your repos if you pulled recently
If you have c3a510b22218 in your repo, you will need to strip it like this $ hg strip c3a510b22218 (make sure to have the mq extension enabled) Sorry for the trouble. -- Regards, Benjamin ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] I would suggest not pushing or pulling from the repo
Okay, I fixed the repo. You may need to strip your repo per my last mail. 2013/7/15 Benjamin Peterson : > I accidently pushed a merge from 3.3 to default in the "3.3" branch. I > think I'm going to have to strip it. > > -- > Regards, > Benjamin -- Regards, Benjamin ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] I would suggest not pushing or pulling from the repo
Le lundi 15 juillet 2013 à 20:49 -0700, Benjamin Peterson a écrit : > Okay, I fixed the repo. You may need to strip your repo per my last mail. I'm a bit wary of what might happen on automated stuff (i.e. buildbots). Regards Antoine. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
