[Mailman-Developers] Hashing in private.py

Scott scott@chronis.pobox.com
Fri, 4 Dec 1998 16:32:53 -0500 

It is no more secure to have SECRET defined in the source code than to
not have it at all.

If anyone is going to spoof a cookie, then looking up the value of
secret in the mailman distribution is trivial.

While I'm not familiar with the benetits of md5 vs hash (it seems like
both would be pretty much equally spoofable, and md5 just involves an
extra import but i could be wrong),  If we want to protect from cookie
spoofing, then there should be a config variable for COOKIE_SECRET or
the hash or md5 of the list_name concatenated to the admin site
password might work.  The point is to make SECRET variable.

One potential drawback of md5 is that it can produce characters which
need special escaping for http transactions.

scott

On Tue, Dec 01, 1998 at 11:03:49AM -0500, Andrew M. Kuchling wrote:
| I just noticed that the token value used in private.py is just
| hash(list_name).  A simple improvement is to change it to hash(SECRET
| + list_name) and then change the value of SECRET in private.py.  An
| even better solution would be to do an MD5 hash of SECRET + list_name,
| but is it OK to assume that the md5 module is present?)
| 
| 	(I haven't done a patch for md5 support; let me know if I should.)
| 
| 	Also, since setting an archive to private doesn't seem to
| change the directory where it's archived, this means you have to
| configure the Web server accordingly.  This should be documented
| somewhere; is it?  
| 
| -- 
| A.M. Kuchling			http://starship.skyport.net/crew/amk/
|     "All we know for sure is that we don't know anything for sure."
|     "That is a particularly foolish thing to say, John Constantine. Light and
| darkness, life and death. These things are eternally certain."
|     -- John Constantine and Dr Occult, in BOOKS OF MAGIC #1
| 
| 
| *** private.py~	Mon Oct 19 16:14:54 1998
| --- private.py	Tue Dec  1 11:00:06 1998
| ***************
| *** 98,102 ****
|   	c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
|   	if c.has_key(list_name):
| !             if c[list_name].value == `hash(list_name)`:
|                   return 1
|       # No corresponding cookie.  OK, then check for username, password
| --- 98,102 ----
|   	c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
|   	if c.has_key(list_name):
| !             if c[list_name].value == `hash(SECRET + list_name)`:
|                   return 1
|       # No corresponding cookie.  OK, then check for username, password
| ***************
| *** 129,133 ****
|   	return 0
|   
| !     token = `hash(list_name)`
|       c = Cookie.Cookie()
|       c[list_name] = token
| --- 129,133 ----
|   	return 0
|   
| !     token = `hash(SECRET + list_name)`
|       c = Cookie.Cookie()
|       c[list_name] = token
| 
| 
| _______________________________________________
| Mailman-Developers maillist  -  Mailman-Developers@python.org
| http://www.python.org/mailman/listinfo/mailman-developers
|