I reviewed python-repoze.who version 1.0.18-4 from Ubuntu vivid. This
should not be considered a full security audit but instead a quick gauge
of maintainability.
- python-repoze,who is a generic authentication middleware for python
applications; it sits between a wsgi server and application and modifies
http requests and responses.
- Build-Depends: debhelper, cdbs, python-dev, dh-python,
python-setuptools, python-sphinx, python-zope.interface, python-paste
- Does not daemonize
- pre/post inst/rm scripts automatically generated
- No initscripts
- No dbus services
- No setuid executables
- No sudo fragments
- No udev rules
- No cronjobs
- Test suite run during the build
- No subprocesses spawned
- Files read under command of configurations
- Logging looked simple
- No environment variables used
- No privileged portions of code
- Networking driven by webserver
- Slight cryptography used, actual provided password storage mechanisms
are weak
- No temporary files
- No webkit
- No javascript
- No policykit
While reviewing this code I found a few things that seemed worth reporting
here:
- ./repoze/who/plugins/htpasswd.py plain_check() function allows
timing-based password discovery, crypt_check() hard-codes two character
salt
- InsecureCookiePlugin doesn't appear to authenticate or encrypt the
cookie data, or set httponly flag or set secure flag; ignoring the
secure flag makes some sense for an InsecureCookie mechanism but lacking
httponly and authenicated data is perhaps surprising to authors.
- doesn't appear to use HttpOnly cookie flag
- no csrf protection in default login form in repoze/who/plugins/form.py
- unknown session fixation prevention in default login form
- default_password_compare in ./repoze/who/plugins/sql.py does not
salt or iterate passwords; plaintext variant allows timing-based
password guessing, and stored passwords cannot start with (SHA)
I believe the core code of python-repoze.who is reliable enough, but
the default providers for backends and forms don't look like they are
production quality. Passwords are stored in plaintext, or insufficiently
salted and iterated, and timing-sensitive comparison routines are used.
The login form doesn't protect against session fixation or csrf. Simple
and usual protections on cookies are ignored.
This presents a dilemma; essentially, all non-toy programs have to provide
their own storage and authentication plugins to be able to safely use this
tool. It seems incorrect to promote a project to main with many known
flaws in the defaults, but if no real tools actually use the defaults,
the issues might be mostly academic.
The use by python-pysaml2 seemed safe enough.
The upstream authors have not yet responded to my questions. The above
issues may warrant security fixes, issues that would be best to fix
before shipment if we can. I'm concerned to hear that this package is
orphaned in Debian because it also feels orphaned upstream.
While we probably could take on maintenance of this package ourselves I
have to ask if we should use a different mechanism for login tracking.
So I propose a conditional ACK to promote this package to main,
conditional on two pieces:
*1* a statement from the server team that this package is the best known
way for the pysaml2 tool to manage logins.
*2* a statement from the server team that they will assist in maintenance
efforts for the supported life of this package, and will ask to demote it
again in the future if a viable replacement is found.
Thanks
** Changed in: python-repoze.who (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
** Changed in: python-pysaml2 (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to python-pysaml2 in Ubuntu.
https://bugs.launchpad.net/bugs/1407695
Title:
[MIR] python-saml2, python-repoze.who, xmlsec1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
