On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord <michael(a)voidspace.org.uk> wrote:
> On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <mal(a)python.org> wrote:
> > Who would be the one to contact for issues like these ?
> > The case is rather urgent, since the XSS can be used for stealing
> > session cookies on *.python.org.
> > The sorting by password issue is a more obscure one. Just removing
> > the "feature" to sort by password should be enough to solve it.
> Technically it's an infrastructure issue (cc'd), but fixing the code of roundup is hardly their domain.
> Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, so he may have a better idea.
> We have a security mailing list but that is mainly intended for security issues in the language:
> security(a)python.org <security(a)python.org>
The OP also emailed security (which I heard about via IRC, I'm not
on that list).
Ezio is a Roundup developer, so he is indeed the best person to look
at the XSS issue, since it is a Roundup problem and not specific to
the Tracker. I can take a look too but he is more knowledgeable
than I about roundup itself.
There is another problem which is specific to our tracker and which is the
bigger issue right at the moment. We have a 'nobody' user with a blank
password and Developer privileges.
I'm about to go out, so I don't want to make a change that might break
something right this moment, but anyone with the Coordinator role
could take this on if they want to do it right now: remove either the
Developer role, or both roles, from that user and see what happens.
I suspect that user should not exist at all, but I don't know for sure.