I reviewed python-oauth2 version 1.5.211-2ubuntu3 as checked into saucy. This should not be considered a full security audit but instead just a quick check of code quality.
- This library provides a Python implementation of Oauth2 client and server, so http clients can use private resources without exposing a username / password combination to the http client. - Uses HMAC, SHA1 - Uses python-httplib2 for networking - Intended use of this library is as a plugin for other services, though imap and smtp examples are provided. - Does not itself listen on external interfaces but extensively handles network-supplied data - Does not have privileged portions of code - No initscripts, dbus services, setuid programs, binaries, sudo fragments - Good test suite - No cronjobs - Clean build logs - No spawned subprocesses - No file handling - Exceptions may provide unescaped user-supplied data via web services or log files, probably the exceptions should escape the user-supplied data. - No environment variables - Only uses HMAC-SHA1 cryptography primitive, used appropriately - Does not use webkit I've requested CVEs for some of the results of my audit. I noticed build_authenticate_header() doesn't escape realm, and to_header() doesn't escape oauth_* keys, nor realm. This is completely fine if the realms and oauth_* keys are hardcoded, is probably fine if they are at the most configured in a configuration file, but if an untrusted actor is in a position to configure the name of a realm, arbitrary HTTP headers, and body content, can be injected into requests or responses. A library should probably escape these inputs. This library also makes it easy to use both HTTP (without TLS) and PLAINTEXT signature methods. As Oauth2 requires HTTPS for safe use, it would be ideal to forbid HTTP, and it is difficult to see the value of the PLAINTEXT signature method. Here's the conditions for promoting python-oauth2 to main: - The CVEs I've requested need to be fixed - Someone more familiar with the code needs to strongly consider patching out HTTP support - Someone more familiar with the code needs to strongly consider patching out PLAINTEXT support - Someone more familiar with the code needs to report if the unescaped network-supplied data in exceptions can cause XSS or CSRF problems. As this package currently stands, security team NAK for including into main. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1213934 Title: [MIR] python-oauth2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-oauth2/+bug/1213934/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
