Thibault Fevry added the comment: @David The XSS is the main, most visible issue.
The other issue is http://bugs.python.org/user?@sort=password works sorts users by their password (as can be seen by nobody having an empty password). This means I know that viznut's password < moshez's password. This means that if you create a user with password 'ai' and it is after viznut you know that his his password is 'a[a-h]'. This looks very tiring, but I don't see any reason why given enough time (this can probably be automated) and enough accounts created, you shouldn't get his password [*]. It is bad policy to have a false account (I guess 'nobody' is a generic account for developpers) with no password and more privileges than any normal users, including things that could go bad (Such as a user removing all the tags). [*] Except if passwords are properly hashed and salted, then it would be near impossible. _______________________________________________________ PSF Meta Tracker <metatrac...@psf.upfronthosting.co.za> <http://psf.upfronthosting.co.za/roundup/meta/issue519> _______________________________________________________ _______________________________________________ Tracker-discuss mailing list Tracker-discuss@python.org http://mail.python.org/mailman/listinfo/tracker-discuss
