hi mark, that's important improvement.
On Wed, Aug 12, 2009 at 04:16, Mark Ramm<[email protected]> wrote:
We recently discovered that TurboGears2 ships with quickstart configuration that leaves users of it's default user authorization/authentication scheme vulnerable to a serious security issue. If you are running a TG2 application in production you are strongly encouraged to set the cookie salt for the authorization cookie in repoze.who to something other than it's default value. This is simple enough to do, just set base_config.sa_auth.cookie_secret to any secret value you'd like. For example: base_config.sa_auth.cookie_secret = "mynewsecret" You can also set it in development.ini using a key like: sa_auth.cookie_secret = "mysupersecret"
it's a matter of my misunderstanding of the ini formats, but i failed to set this in my roughly default development.ini. any idea is welcome.
Failure to do this could leave you vulnerable to someone who knows the default cookie secret being able to craft a cookie that allows a user into your site without authenticating through the normal mechanism. TurboGears 2.0.2 will enforce setting the cookie secret and will refuse to run if you have not set that value in your configuration. We've just released 2.0.2, which also fixes another security issue which could cause controller methods decorated with something other tha...@expose to still be exposed through the url dispatch mechanism. You can update to 2.0.2 with easy_install -Ui http://turbogears.org/2.0/downloads/current/ turbogears2
well, this wouldn't work for me too, and i had to specify the tar.gz name manually.
-- Mark Ramm-Christensen email: mark at compoundthinking dot com blog: www.compoundthinking.com/blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
-- alex
smime.p7s
Description: S/MIME Cryptographic Signature
