[Catalog-sig] Fwd: readthedocs.org or packages.python.org?

M.-A. Lemburg mal at egenix.com
Thu Feb 7 00:51:02 CET 2013


On 06.02.2013 23:55, Donald Stufft wrote:
> On Wednesday, February 6, 2013 at 5:53 PM, M.-A. Lemburg wrote:
>> On 06.02.2013 23:28, Donald Stufft wrote:
>>> On Wednesday, February 6, 2013 at 5:06 PM, martin at v.loewis.de (mailto:martin at v.loewis.de) wrote:
>>>>> Javascript hosted on packages.python.org (http://packages.python.org) has access to cookies on 
>>>>> python.org (http://python.org), If python.org (http://python.org) has
>>>>> any sort of login it's trivial to steal a session cookie.
>>>>>
>>>>
>>>>
>>>>
>>>> No, it doesn't. Cookies for "python.org (http://python.org)" are not available to 
>>>> "packages.python.org (http://packages.python.org)".
>>>> It would have to be a cookie for ".python.org (http://python.org)". We don't issue such cookies.
>>>>
>>>
>>> http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
>>>
>>> Specifically:
>>>
>>> Note: according to one of the specs, domain wildcards should be marked with a preceeding period, so .example.com (http://example.com) would denote a wildcard match for the entire domain - including, somewhat confusingly, example.com (http://example.com) proper - whereas foo.example.com (http://foo.example.com) would denote an exact host match. Sadly, no browser follows this logic, and domain=example.com (http://example.com) is exactly equivalent to domain=.example.com (http://example.com). There is no way to limit cookies to a single DNS name only, other than by not specifying domain= value at all - and even this does not work in Microsoft Internet Explorer; likewise, there is no way to limit them to a specific port.
>>
>> A forced redirect from python.org to www.python.org (http://www.python.org) should fix this,
>> provided that no service on *.python.org (http://python.org) uses a .python.org (http://python.org)
>> (or python.org (http://python.org)) cookie.
>>
>>
> 
> http://en.wikipedia.org/wiki/Session_fixation
> 
> packages.python.org can set a .python.org cookie which www.python.org will read.

Right, but if you want to steal session cookies from e.g. www.python.org
or pypi.python.org, you'd be interested in the other way around, I suppose,
unless you want to invest a lot in social engineering :-)

In any case, if the systems on the various sub-domains of python.org allow
session fixation attacks, we should probably get those fixed.

And additionally, redirect (and move) packages.python.org to some new
top-level domain, so that we can avoid cross sub-domain attacks and
"only" have to deal with cross site style attacks ;-)

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Feb 06 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


More information about the Catalog-SIG mailing list