We recently discovered that TurboGears2 ships with quickstart configuration that leaves users of it's default user authorization/authentication scheme vulnerable to a serious security issue. If you are running a TG2 application in production you are strongly encouraged to set the cookie salt for the authorization cookie in repoze.who to something other than it's default value.
This is simple enough to do, just set base_config.sa_auth.cookie_secret to any secret value you'd like. For example: base_config.sa_auth.cookie_secret = "mynewsecret" You can also set it in development.ini using a key like: sa_auth.cookie_secret = "mysupersecret" Failure to do this could leave you vulnerable to someone who knows the default cookie secret being able to craft a cookie that allows a user into your site without authenticating through the normal mechanism. TurboGears 2.0.2 will enforce setting the cookie secret and will refuse to run if you have not set that value in your configuration. We've just released 2.0.2, which also fixes another security issue which could cause controller methods decorated with something other than @expose to still be exposed through the URL dispatch mechanism. You can update to 2.0.2 with easy_install -Ui http://turbogears.org/2.0/downloads/current/ turbogears2 -- Mark Ramm-Christensen email: mark at compoundthinking dot com blog: www.compoundthinking.com/blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
