I reviewed python-repoze.who version 1.0.18-4 from Ubuntu vivid. This should not be considered a full security audit but instead a quick gauge of maintainability.
- python-repoze,who is a generic authentication middleware for python applications; it sits between a wsgi server and application and modifies http requests and responses. - Build-Depends: debhelper, cdbs, python-dev, dh-python, python-setuptools, python-sphinx, python-zope.interface, python-paste - Does not daemonize - pre/post inst/rm scripts automatically generated - No initscripts - No dbus services - No setuid executables - No sudo fragments - No udev rules - No cronjobs - Test suite run during the build - No subprocesses spawned - Files read under command of configurations - Logging looked simple - No environment variables used - No privileged portions of code - Networking driven by webserver - Slight cryptography used, actual provided password storage mechanisms are weak - No temporary files - No webkit - No javascript - No policykit While reviewing this code I found a few things that seemed worth reporting here: - ./repoze/who/plugins/htpasswd.py plain_check() function allows timing-based password discovery, crypt_check() hard-codes two character salt - InsecureCookiePlugin doesn't appear to authenticate or encrypt the cookie data, or set httponly flag or set secure flag; ignoring the secure flag makes some sense for an InsecureCookie mechanism but lacking httponly and authenicated data is perhaps surprising to authors. - doesn't appear to use HttpOnly cookie flag - no csrf protection in default login form in repoze/who/plugins/form.py - unknown session fixation prevention in default login form - default_password_compare in ./repoze/who/plugins/sql.py does not salt or iterate passwords; plaintext variant allows timing-based password guessing, and stored passwords cannot start with (SHA) I believe the core code of python-repoze.who is reliable enough, but the default providers for backends and forms don't look like they are production quality. Passwords are stored in plaintext, or insufficiently salted and iterated, and timing-sensitive comparison routines are used. The login form doesn't protect against session fixation or csrf. Simple and usual protections on cookies are ignored. This presents a dilemma; essentially, all non-toy programs have to provide their own storage and authentication plugins to be able to safely use this tool. It seems incorrect to promote a project to main with many known flaws in the defaults, but if no real tools actually use the defaults, the issues might be mostly academic. The use by python-pysaml2 seemed safe enough. The upstream authors have not yet responded to my questions. The above issues may warrant security fixes, issues that would be best to fix before shipment if we can. I'm concerned to hear that this package is orphaned in Debian because it also feels orphaned upstream. While we probably could take on maintenance of this package ourselves I have to ask if we should use a different mechanism for login tracking. So I propose a conditional ACK to promote this package to main, conditional on two pieces: *1* a statement from the server team that this package is the best known way for the pysaml2 tool to manage logins. *2* a statement from the server team that they will assist in maintenance efforts for the supported life of this package, and will ask to demote it again in the future if a viable replacement is found. Thanks ** Changed in: python-repoze.who (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) ** Changed in: python-pysaml2 (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-pysaml2 in Ubuntu. https://bugs.launchpad.net/bugs/1407695 Title: [MIR] python-saml2, python-repoze.who, xmlsec1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs