Re: [Zope-dev] Plain-text passwords in your ZODB
On 12/17/10 00:55 , Tres Seaver wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 12/16/2010 02:58 PM, Marius Gedminas wrote: >> On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote: >>> Marius Gedminas wrote: So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)? >>> >>> By "Zope" you mean Zope 3, ZTK, Bluebream ...? >> >> All of the above. More specifically, zope.pluggableauth (and, I assume, >> zope.app.authentication before that). >> >> I haven't looked at Zope 2, sorry. > > I would venture to say that almost nobody in the Z2 world uses > zope.pluggableauth: they use Products.PluggableAuthService or another > Z2-specific solution. > > The SessionAuth plugin for PAS does put the credentials in the session, > IIRC. For Plone we use plone.session to manage authentication sessions. plone.session does not require any ZODB writes or storing of passwords, plaintext or otherwise. It is probably portable to zope.pluggableauth. Wichert. ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plain-text passwords in your ZODB
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/16/2010 02:58 PM, Marius Gedminas wrote: > On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote: >> Marius Gedminas wrote: >>> So, did you know that by default Zope stores a copy of every user's >>> username and password in your ZODB, in plain text, on every login that >>> uses forms and sessions (rather than HTTP basic auth)? >> >> By "Zope" you mean Zope 3, ZTK, Bluebream ...? > > All of the above. More specifically, zope.pluggableauth (and, I assume, > zope.app.authentication before that). > > I haven't looked at Zope 2, sorry. I would venture to say that almost nobody in the Z2 world uses zope.pluggableauth: they use Products.PluggableAuthService or another Z2-specific solution. The SessionAuth plugin for PAS does put the credentials in the session, IIRC. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KpwwACgkQ+gerLs4ltQ4ZbgCfTIRoADkXyPhBztb9+4VXhwJL CoQAn1LurSsNxxPTLG+wVXPxgsMe8ifZ =E+JK -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plain-text passwords in your ZODB
On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote: > Marius Gedminas wrote: > > So, did you know that by default Zope stores a copy of every user's > > username and password in your ZODB, in plain text, on every login that > > uses forms and sessions (rather than HTTP basic auth)? > > By "Zope" you mean Zope 3, ZTK, Bluebream ...? All of the above. More specifically, zope.pluggableauth (and, I assume, zope.app.authentication before that). I haven't looked at Zope 2, sorry. Marius Gedminas -- http://pov.lt/ -- Zope 3/BlueBream consulting and development signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plain-text passwords in your ZODB
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marius Gedminas wrote: > So, did you know that by default Zope stores a copy of every user's > username and password in your ZODB, in plain text, on every login that > uses forms and sessions (rather than HTTP basic auth)? By "Zope" you mean Zope 3, ZTK, Bluebream ...? Andreas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGUBAEBAgAGBQJNCmr8AAoJEADcfz7u4AZjECgLwMBt7xcFw/WmgM3I6NtahSTI OOQtb/lfg4MLIO4cpncdaISZCa6+g0JHgluDWNTtwwsP9t2FwAIWW/xSDqh6l8Ex fh0BTd3za2LZBp3p6bkxqFq6PZwEw7kBnEX9T6N0R4dKTeBeKhWl3TGA9dmjlYzI Tmy9nJp2qUN0svhVuRt/Ezvwl3ag36r6v6Hn3XVMGQOkAq4BOuXFeTugnlcSQ9dA FfntsK1USQ7XiIxV/7vYGEiJYgoVAjVFGPzmpSfaIlyKTh/rLpbHn0J+Wom52ARx 1/JvWZ5gE+zkWT6WD+urNtw98wbJsF0LB4IxakahCfagBur/sowLZyKUomcUFRQB EyeW3+9SBL0ZV8Zju4q6iV0SPUkDJUewIfWIpvzi50Tc3SdcwJXl/YKXRk3a1S7P M6yH0fKfxPzwKl5F2Quttul8lI58ZlNX/UCBhbuq+5AoTJL3/+DboiRAqR1BMvcR gz26Seni3bXJPZ4BjIgNsRUPu5cusAA= =f+jf -END PGP SIGNATURE- <>___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Plain-text passwords in your ZODB
So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)? Look for them in /++etc++site/default/PersistentSessionDataContainer, inside the numerous SessionCredentials objects. I would like to release zope.pluggableauth 1.2 with this change: http://zope3.pov.lt/trac/changeset/118971/zope.pluggableauth so that people could supply a different SessionCredentials implementation if they so desire. For example, they could use keas.kmi.persistent.EncryptedPersistent as a base class. Any comments/objections/better suggestions? That still leaves the default behaviour being broken. I'm not feeling up to the task of redesigning zope.pluggableauth so it wouldn't need to keep a copy of the user's credentials persistently. Any takers? By the way, that would be a nice opportunity to fix a few other Zope3/BlueBream authentication issues: * It's *insanely complicated* to log user logins and logouts, if you need an accurate audit log. Or if you want to count the number of failed login attempts. * It's *insanely complicated* (if not impossible) to try to use your own Principal classes. * The default password hashing and salting scheme (SSHA) used by the principal folder is weak. See http://codahale.com/how-to-safely-store-a-password/ http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html * The password checking code in zope.password is susceptible to a timing attack. See http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ Marius Gedminas -- http://pov.lt/ -- Zope 3/BlueBream consulting and development signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope Tests: 73 OK, 15 Failed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Subject: FAILED : Zope Buildbot / zopetoolkit-py2.5 slave-ubuntu64 > From: jdriessen at thehealthagency.com > Date: Wed Dec 15 16:55:22 EST 2010 > URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026754.html > > Subject: FAILED : Zope Buildbot / zopetoolkit-py2.6 slave-ubuntu64 > From: jdriessen at thehealthagency.com > Date: Wed Dec 15 17:00:02 EST 2010 > URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026755.html Are we somehow re-using files checked out using Windows SVN on Linux boxes? The failures here are due to carriage returns in the doctest files:: test-ztk-zope.publisher failed with: Test-module import failures: Module: zope.publisher.tests.test_http ValueError: line 81 of the docstring for httpresults.txt lacks \ blank after ...: '...\r' Those '\r' characters aren't present in the files in a normal Linux checkout. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KSHgACgkQ+gerLs4ltQ7FAACcDzYlcgvJj6SCcg+xzygVyNox jqoAoLsWM0HuNB/1N5ja3qgryUeIL2Sa =3Zp2 -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope Tests: 73 OK, 15 Failed
Summary of messages to the zope-tests list. Period Wed Dec 15 12:00:00 2010 UTC to Thu Dec 16 12:00:00 2010 UTC. There were 88 messages: 8 from Zope Tests, 4 from buildbot at pov.lt, 26 from buildbot at winbot.zope.org, 11 from ccomb at free.fr, 39 from jdriessen at thehealthagency.com. Test failures - Subject: FAILED : Zope Buildbot / zopetoolkit-py2.5 slave-ubuntu64 From: jdriessen at thehealthagency.com Date: Wed Dec 15 16:55:22 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026754.html Subject: FAILED : Zope Buildbot / zopetoolkit-py2.6 slave-ubuntu64 From: jdriessen at thehealthagency.com Date: Wed Dec 15 17:00:02 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026755.html Subject: FAILED : Zope Buildbot / zopetoolkit_win-py2.5 slave-win From: jdriessen at thehealthagency.com Date: Wed Dec 15 17:01:12 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026758.html Subject: FAILED : Zope Buildbot / zopetoolkit_win-py2.6 slave-win From: jdriessen at thehealthagency.com Date: Wed Dec 15 17:01:41 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026759.html Subject: FAILED : Zope Buildbot / zopetoolkit-py2.5 slave-ubuntu32 From: jdriessen at thehealthagency.com Date: Wed Dec 15 17:18:44 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026764.html Subject: FAILED : Zope Buildbot / zopetoolkit-py2.6 slave-ubuntu32 From: jdriessen at thehealthagency.com Date: Wed Dec 15 17:23:58 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026765.html Subject: FAILED : Zope Buildbot / zopetoolkit-py2.5 slave-osx From: jdriessen at thehealthagency.com Date: Wed Dec 15 18:07:55 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026775.html Subject: FAILED : Zope Buildbot / zopetoolkit-py2.6 slave-osx From: jdriessen at thehealthagency.com Date: Wed Dec 15 18:13:48 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026776.html Subject: FAILED : winbot / z3c.xmlhttp_py_265_32 From: buildbot at winbot.zope.org Date: Wed Dec 15 22:20:34 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026794.html Subject: FAILED : winbot / zope.broken_py_265_32 From: buildbot at winbot.zope.org Date: Wed Dec 15 23:59:40 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026796.html Subject: FAILED : winbot / z3c.ptcompat_py_265_32 From: buildbot at winbot.zope.org Date: Thu Dec 16 00:00:15 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026797.html Subject: FAILED : winbot / z3c.contents_py_265_32 From: buildbot at winbot.zope.org Date: Thu Dec 16 00:07:56 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026798.html Subject: FAILED : winbot / z3c.zrtresource_py_265_32 From: buildbot at winbot.zope.org Date: Thu Dec 16 00:14:20 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026799.html Subject: FAILED : winbot / z3c.rml_py_265_32 From: buildbot at winbot.zope.org Date: Thu Dec 16 00:24:27 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026801.html Subject: FAILED : winbot / z3c.jsonrpcproxy_py_265_32 From: buildbot at winbot.zope.org Date: Thu Dec 16 00:28:29 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026802.html Tests passed OK --- Subject: OK : Zope Buildbot / zope2.13_win-py2.7 slave-win From: jdriessen at thehealthagency.com Date: Wed Dec 15 08:48:36 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026724.html Subject: OK : Zope Buildbot / zope2.13_win-py2.6 slave-win From: jdriessen at thehealthagency.com Date: Wed Dec 15 08:51:10 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026725.html Subject: OK : winbot / ztk_dev py_254_win32 From: buildbot at winbot.zope.org Date: Wed Dec 15 15:18:39 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026726.html Subject: OK : winbot / ztk_dev py_265_win32 From: buildbot at winbot.zope.org Date: Wed Dec 15 15:27:03 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026727.html Subject: OK : winbot / ztk_dev py_265_win64 From: buildbot at winbot.zope.org Date: Wed Dec 15 15:36:48 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026728.html Subject: OK : winbot / ztk_dev py_270_win32 From: buildbot at winbot.zope.org Date: Wed Dec 15 15:45:07 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026729.html Subject: OK : winbot / ztk_dev py_270_win64 From: buildbot at winbot.zope.org Date: Wed Dec 15 15:53:57 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026730.html Subject: OK : winbot / ztk_10 py_244_win32 From: buildbot at winbot.zope.org Date: Wed Dec 15 16:04:20 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-December/026731.html Subject: OK : winbot / ztk_10 py_254_win32 From: b
Re: [Zope-dev] zope.testbrowser and WebTest
On 16 December 2010 08:38, Brian Sutherland wrote: > On Thu, Dec 16, 2010 at 12:06:36AM +0100, Hanno Schlichting wrote: >> On Wed, Dec 15, 2010 at 2:06 PM, Brian Sutherland >> wrote: >> > I've managed to get the existing tests to run against this browser with >> > two new testing dependencies: >> > WebTest >> > zope.app.wsgi >> >> zope.app.wsgi shouldn't be a dependency of zope.testbrowser. It's ok >> if it's pulled in via a specific extra_requires like a [webtest] >> extra, though. Zope2 depends on zope.testbrowser and has no dependency >> on any zope.app packages - this must continue to be the case. Required >> test dependencies count towards real dependencies here. > > I understand your point, but the situation was already pretty nasty as > zope.testbrowser already depended on: > > zope.app.appsetup > zope.app.publication > zope.app.testing >= 3.8 > > I agree that any extra dependency is not welcome, but this feature opens > up a path to radically reducing the dependencies of zope.testbrowser. > See below. > >> The real fix would probably be to move the reusable code out of >> zope.app.wsgi into a zope.wsgi package, but that might be more than >> you are willing to do now. I do believe some of the Grok people would >> be interested in this as well. > > There is also another route open now with the addition of the webtest > feature. We could invert the zope.testbrowser -> zope.app.testing > dependency. > > This is a major re-factoring, but will leave the zope.testbrowser > dependencies looking like this: > > install_requires = [ > 'mechanize>=0.2.0', > 'setuptools', > 'zope.interface', > 'zope.schema', > 'pytz', > ], > extras_require = { > 'test': [ > 'WebOb', > 'WebTest', > ] > > Basically this would require: > > * Re-writing the zope.testbrowser.ftests test application as a pure > WSGI app (using WebOb) > * Test only against zope.testbrowser.wsgi and refactor tests to not > use features from zope.app.testing.functional > * Move zope.testbrowser.testing into zope.testbrowser.wsgi and > zope.app.testing.testbrowser > * Leave backwards compatibility imports in place in > zope.testbrowser.testing > > I'd be willing to have a look at this if Benji were OK in principle on > this and someone was willing to review it. > > -- > Brian Sutherland > ___ > Zope-Dev maillist - zope-...@zope.org > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) Hi Brian, I'd be happy to contribute to your zope.testbrowser refactoring. I am primarily interested from the perspective of grok and zope.app.wsgi. -- Jan-Jaap Driessen ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )