Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On Mon, 15 Jul 2013 08:22:40 -0400, Donald Stufft <donald@stufft.io> wrote:
So I was able to log in to the "nobody" account without a password (Why is this even possible?). It gave me powers to edit users and some other shit. I added a password to the nobody account since these lists are publicly available and if I can get into that user so can others.
Ah, I didn't realize you could edit users (I thought that was Coordinator role) or I would have changed the password myself.
I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care).
I think the user should just be retired. My guess is that it dates from a time when we were less worried about bad actors coming in and trashing things just for the fun of it. What I don't know is if there is some script somewhere depending on it being a valid user. For now, I've removed its access roles, and we'll see if anything breaks.
--David
On 2013-07-15 17:16, R. David Murray wrote:
I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care).
I think the user should just be retired. My guess is that it dates from a time when we were less worried about bad actors coming in and trashing things just for the fun of it. What I don't know is if there is some script somewhere depending on it being a valid user. For now, I've removed its access roles, and we'll see if anything breaks.
Isn't it the user for automatic Roundup updates from hg pushes?
Regards
Antoine.
On 15 Jul, 2013, at 18:02, Antoine Pitrou <solipsis@pitrou.net> wrote:
On 2013-07-15 17:16, R. David Murray wrote:
I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care). I think the user should just be retired. My guess is that it dates from a time when we were less worried about bad actors coming in and trashing things just for the fun of it. What I don't know is if there is some script somewhere depending on it being a valid user. For now, I've removed its access roles, and we'll see if anything breaks.
Isn't it the user for automatic Roundup updates from hg pushes?
I've checked in a change just now and that message still ends up on the tracker.
Ronald
On Mon, 15 Jul 2013 18:02:35 +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
On 2013-07-15 17:16, R. David Murray wrote:
I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care).
I think the user should just be retired. My guess is that it dates from a time when we were less worried about bad actors coming in and trashing things just for the fun of it. What I don't know is if there is some script somewhere depending on it being a valid user. For now, I've removed its access roles, and we'll see if anything breaks.
Isn't it the user for automatic Roundup updates from hg pushes?
No, that one is python-dev. Push updates are still working.
--David
participants (3)
-
Antoine Pitrou
-
R. David Murray
-
Ronald Oussoren