On Tue, Aug 11, 2009 at 9:16 PM, Mark Ramm<[email protected]> wrote: > We recently discovered that TurboGears2 ships with quickstart configuration > that leaves users of it's default user authorization/authentication scheme > vulnerable to a serious security issue. > If you are running a TG2 application in production you are strongly > encouraged to set the cookie salt for the authorization cookie in repoze.who > to something other than it's default value. > This is simple enough to do, just set base_config.sa_auth.cookie_secret to > any secret value you'd like. For example: > base_config.sa_auth.cookie_secret = "mynewsecret" > You can also set it in development.ini using a key like: > sa_auth.cookie_secret = "mysupersecret" > Failure to do this could leave you vulnerable to someone who knows the > default cookie secret being able to craft a cookie that allows a user into > your site without authenticating through the normal mechanism. > TurboGears 2.0.2 will enforce setting the cookie secret and will refuse to > run if you have not set that value in your configuration. > We've just released 2.0.2, which also fixes another security issue which could cause controller methods decorated with something other tha...@expose to still be exposed through the url dispatch mechanism. > You can update to 2.0.2 with > easy_install -Ui http://turbogears.org/2.0/downloads/current/ turbogears2
Small correction, on my linux box you need easy_install -Ui http://turbogears.org/2.0/downloads/current/ TurboGears2 note the caps. > -- > Mark Ramm-Christensen > email: mark at compoundthinking dot com > blog: www.compoundthinking.com/blog > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
