Re: GSoC Check-in: Security Enhancements

2012-07-23 Thread Luke Plant
On 23/07/12 14:24, Rohan Jain wrote: > With this, attacker won't be able to directly set arbitrary tokens on > other sub domains through cookies, they will need a signature of the > token with the form which is to be verified against the cookie. > Plus it also puts a limit on the duration a token

Re: OT: security announcements for Django-related libraries

2012-07-23 Thread Luke Plant
Hi Adam, To avoid fragmenting the discussion, could you reply on the thread I linked to on Python Security? Thanks, Luke On 23/07/12 13:36, Adam "Cezar" Jenkins wrote: > Now. I'm going to preface this with being that I am totally nieve about > such things. Wouldn't it be nice if you could mark

Re: GSoC Check-in: Security Enhancements

2012-07-23 Thread Rohan Jain
On 11:06 +0100 / 23 Jul, Luke Plant wrote: > On 23/07/12 08:07, Rohan Jain wrote: > > ###CSRF Cookies (Time signed): > > > > - A random token generated by the server stored in the browser cookies. For > >verification, every non get request will need to provide a signed > > version of > >

Re: OT: security announcements for Django-related libraries

2012-07-23 Thread Adam "Cezar" Jenkins
Now. I'm going to preface this with being that I am totally nieve about such things. Wouldn't it be nice if you could mark a release on PyPI as a security release and Pip could just do security updates? Somewhat like a few Linux distributions do. Of course that's a long term goal. A mailing list

OT: security announcements for Django-related libraries

2012-07-23 Thread Luke Plant
Hi all, I started a thread on the 'Python security' list about the need for a place for 3rd party Django/Python libraries to announce security issues, for the very common case of small libraries that wouldn't even have their own mailing list - or would have a fraction of their user base

Re: GSoC Check-in: Security Enhancements

2012-07-23 Thread Luke Plant
On 23/07/12 08:07, Rohan Jain wrote: > ###CSRF Cookies (Time signed): > > - A random token generated by the server stored in the browser cookies. For >verification, every non get request will need to provide a signed version > of >the same token. This can then be verified on the browser

Re: GSoC Check-in: Security Enhancements

2012-07-23 Thread Rohan Jain
Hi, Centralized Tokenization: I have merged the work already done for centralized-tokenization in last djangocon at [yarko/django][0]. Since it there have been significant amount of changes since then, merging and resolving conflicts took a little more time then expected. As of now the tests are