From jasper.olbrich at posteo.de Mon Aug 6 15:29:02 2018 From: jasper.olbrich at posteo.de (Jasper Olbrich) Date: Mon, 6 Aug 2018 21:29:02 +0200 Subject: [moin-devel] TextCha not working because of wrong signature Message-ID: <982e2f96-b1eb-b241-2add-4898f3eef079@posteo.de> Hello, I configured TextCha some time ago because bots seem to have found my account creation page. Now I'm unable to create new users or edit pages, because the answer to the TextCha is always considered wrong. This is because the reconstruction of the question from the form data fails. It all seems to boil down to a wrong digest method: In security/textcha.py: ---------------------- [...] SHA1_LEN = 40 [...] def _compute_signature(self, question, timestamp): signature = u"%s%d" % (question, timestamp) return hmac.new(self.secret, signature.encode('utf 8')).hexdigest() ---------------------- But hmac.new uses md5 per default with a length of 32 hex digits: >>> import hashlib >>> import hmac >>> len(hmac.new("key", "msg").hexdigest()) 32 >>> len(hmac.new("key", "msg", hashlib.sha1).hexdigest()) 40 I couldn't find any information on this yet and I'm asking what the right fix to this would be? 1) Explicitly use hashlib.sha1? 2) Use an universal DIGEST_LEN=len(hmac.new("key", "").hexdigest())? 3) ??? And of course I'm curious why this hasn't bitten anybody else so far. -- Best, Jasper From paul at boddie.org.uk Sat Aug 11 08:05:05 2018 From: paul at boddie.org.uk (Paul Boddie) Date: Sat, 11 Aug 2018 14:05:05 +0200 Subject: [moin-devel] TextCha not working because of wrong signature In-Reply-To: <982e2f96-b1eb-b241-2add-4898f3eef079@posteo.de> References: <982e2f96-b1eb-b241-2add-4898f3eef079@posteo.de> Message-ID: <201808111405.05664.paul@boddie.org.uk> On Monday 6. August 2018 21.29.02 Jasper Olbrich wrote: > > I configured TextCha some time ago because bots seem to have found my > account creation page. > > Now I'm unable to create new users or edit pages, because the answer to > the TextCha is always considered wrong. This is because the > reconstruction of the question from the form data fails. It all seems to > boil down to a wrong digest method: [...] > I couldn't find any information on this yet and I'm asking what the > right fix to this would be? > > 1) Explicitly use hashlib.sha1? > 2) Use an universal DIGEST_LEN=len(hmac.new("key", "").hexdigest())? > 3) ??? > > And of course I'm curious why this hasn't bitten anybody else so far. There is a bug report about it on the Moin site: https://moinmo.in/MoinMoinBugs/TextChaWrongHMAC It looks like the SHA1 default for the hmac_new function in python_compatibility was not made explicit when the hmac.new function from the standard library was adopted. This caused the MD5 digest algorithm to be used instead since it is the default for the hmac.new function. Why it didn't get more widely noticed could be a number of things. TextCha measures aren't really very effective by themselves any more, and people are increasingly using manual approval processes for granting wiki editing rights. I also wonder about version adoption. For ages I ran Moin 1.8 because it worked well enough, used more familiar and comprehensible libraries in some areas (the request handling), and it actually wasn't vulnerable for a few things that were problems in 1.9, if I remember correctly. Meanwhile, migrating to a newer Moin version recently involved a lot of work for no real benefit. Also operating system distributions might provide 1.9.8 or earlier, in some cases, avoiding this particular problem. Paul From jasper.olbrich at posteo.de Sat Aug 11 13:04:48 2018 From: jasper.olbrich at posteo.de (Jasper Olbrich) Date: Sat, 11 Aug 2018 19:04:48 +0200 Subject: [moin-devel] TextCha not working because of wrong signature In-Reply-To: <201808111405.05664.paul@boddie.org.uk> References: <982e2f96-b1eb-b241-2add-4898f3eef079@posteo.de> <201808111405.05664.paul@boddie.org.uk> Message-ID: On 11.08.2018 14:05, Paul Boddie wrote: > On Monday 6. August 2018 21.29.02 Jasper Olbrich wrote: >> >> I configured TextCha some time ago because bots seem to have found my >> account creation page. >> >> Now I'm unable to create new users or edit pages, [...] >> And of course I'm curious why this hasn't bitten anybody else so far. > > There is a bug report about it on the Moin site: > > https://moinmo.in/MoinMoinBugs/TextChaWrongHMAC And a fix: http://hg.moinmo.in/moin/1.9/rev/561b7a9c2bd9 And right on the download page it says: ------------ You also need to apply this bugfix patch, sorry: https://bitbucket.org/thomaswaldmann/moin-1.9/commits/561b7a9c2bd91b61d26cd8a5f39aa36bf5c6159e ------------ So, note to myself: RTFM'ing helps. -- Jasper From rb.proj at gmail.com Wed Aug 15 11:53:21 2018 From: rb.proj at gmail.com (Reimar Bauer) Date: Wed, 15 Aug 2018 17:53:21 +0200 Subject: [moin-devel] returning back and what are your plans? Message-ID: Dear all, after a long break in actively developing moin-2 I am thinking about refactoring it to moin-3 (py3) and getting it in a state that we could migrate a bunch of our wikis. I think it is worse to do that refactoring with moin-1.9. We have a little more than one year and if we want to keep moinmoin alive - now a bit more pressure. ;) Goal is to get a wiki like system, addons done later. So what do you think? Who is in a similiar situation than me and wants to spend time? cheers Reimar From paul at boddie.org.uk Wed Aug 15 12:24:01 2018 From: paul at boddie.org.uk (Paul Boddie) Date: Wed, 15 Aug 2018 18:24:01 +0200 Subject: [moin-devel] returning back and what are your plans? In-Reply-To: References: Message-ID: <201808151824.03177.paul@boddie.org.uk> On Wednesday 15. August 2018 17.53.21 Reimar Bauer wrote: > > after a long break in actively developing moin-2 I am thinking about > refactoring it to moin-3 (py3) and getting it in a state that we could > migrate a bunch of our wikis. First of all, welcome back! I've never been able to get into doing anything with Moin 2. It seems like there are so many dependencies, and I just don't buy into the Python-centric way of handling dependencies. Moreover, delegating dependency management to Python-only tools does little to help packaging for operating system distributions. Apart from that, I think that the focus of many people has been to keep what they already have working. Unfortunately, bugs have gone unfixed upstream. I guess that Thomas isn't so interested in Moin any more, or is this a complete misinterpretation? Having noted that the Debian people use and improve Moin quite a bit, maybe they have something to say about this. > I think it is worse to do that refactoring with moin-1.9. Yes, I think Moin 1.9 is not a particularly great place to start, and I guess the idea with Moin 2 was to start from a better place, even though certain things were carried forward, as far as I can tell. > We have a little more than one year and if we want to keep moinmoin > alive - now a bit more pressure. ;) Is this "one year" related to Python 2 no longer being supported by the core developers from 2020? I could have many things to say about that, few of them particularly kind. > Goal is to get a wiki like system, addons done later. > > So what do you think? Who is in a similiar situation than me and wants > to spend time? Well, I don't know if you've been following the list, but there hasn't been too much traffic of late. I noted recently that for some of my sites, I don't need an active Moin instance since I'm just using Moin to deploy content. To avoid maintenance issues - log and cache files ballooning, worries about how secure things are - I've been writing tools to deal with Moin-formatted content plus accessories such as the Graphviz parser. If nothing else happens, I'll just plod along getting these tools to a state where I'll use them to publish content. Then, maybe I'll expand them to work with Mercurial (or other directory-centric tools) so that I can push content around and some kind of distributed editing can be done. I believe that Hatta tried this kind of thing out, but it didn't/doesn't support Moin-formatted content. Anyway, you now have some of my thoughts on the matter to consider! Paul From tw at waldmann-edv.de Wed Aug 15 13:04:17 2018 From: tw at waldmann-edv.de (Thomas Waldmann) Date: Wed, 15 Aug 2018 19:04:17 +0200 Subject: [moin-devel] returning back and what are your plans? In-Reply-To: References: Message-ID: Welcome back, Reimar! > after a long break in actively developing moin-2 #metoo :) > I am thinking about> refactoring it to moin-3 (py3) I also felt some desire having it on py3, but after some thinking, I thought "there are bigger and more urgent problems we have to address": - moving to git and github (repo(s), issues, ... - I tried that once and back then the migration tools did not work good enough) - build a developer community there, get more active developers - make it useful for production - once we are there, switch to py3-only > and getting it in a state that we could> migrate a bunch of our wikis. Guess this is still quite a bit away. > I think it is worse to do that refactoring with moin-1.9. Sure, the whole point of moin2 was to have a better code base. For moin 1.9 there is the need to make a new release just with dependency updates and some little fixes. Some reasonable issue tracking / milestones would be good there, too. > We have a little more than one year and if we want to keep moinmoin > alive - now a bit more pressure. ;) Yeah, there is this "2020 end of support for cpython 2.7", but I think 2.7 will be there much longer (and if only in the form of PyPy 2.7 [they have no "end of 2.7 support" as their whole own stuff is py2.7]). > So what do you think? Who is in a similiar situation than me and wants > to spend time? I also thought about starting on moin development again, but didn't feel enough motivation yet considering the big amount of work and the low count of active developers. Also, I am somehow motivated to work on python and backend stuff, but totally NOT to work on frontend stuff (neither good enough with that anyway). Because of that, I was even considering whether it would be a good idea to split moin into 2 projects, one being a wiki-engine as a service (think of RESTful api or so) and the other being a wiki-frontend talking to the engine. But just having a backend would be somehow pointless if noone would write that frontend in parallel. Cheers, Thomas -- GPG ID: 9F88FB52FAF7B393 GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393 From tw at waldmann-edv.de Wed Aug 15 13:12:24 2018 From: tw at waldmann-edv.de (Thomas Waldmann) Date: Wed, 15 Aug 2018 19:12:24 +0200 Subject: [moin-devel] returning back and what are your plans? In-Reply-To: References: Message-ID: Looks like Roger Haase has been quite active in the moin2 bb repo: https://bitbucket.org/thomaswaldmann/moin-2.0/commits/all Did anyone try the recent code? -- GPG ID: 9F88FB52FAF7B393 GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393 From tw at waldmann-edv.de Fri Aug 17 18:05:44 2018 From: tw at waldmann-edv.de (Thomas Waldmann) Date: Sat, 18 Aug 2018 00:05:44 +0200 Subject: [moin-devel] MoinMoin 1.9.x development moved to GitHub Message-ID: See there: https://github.com/moinwiki/moin-1.9/ Currently working on a 1.9.10 release, please check if something important is missing. If so, file an issue there. No big features for 1.9.x, just small / important stuff. Currently open issues: https://github.com/moinwiki/moin-1.9/issues If you contributed to MoinMoin < 2.0 in the past and you'ld like to have your commits associated with your github accounts, see issue #1. From steve at einval.com Sun Aug 19 19:59:19 2018 From: steve at einval.com (Steve McIntyre) Date: Mon, 20 Aug 2018 00:59:19 +0100 Subject: [moin-devel] returning back and what are your plans? Message-ID: <20180819235858.6gn3b6nxtank4kcs@tack.einval.com> On Wed, Aug 15, 2018 at 06:24:01PM +0200, Paul Boddie wrote: >On Wednesday 15. August 2018 17.53.21 Reimar Bauer wrote: >> >> after a long break in actively developing moin-2 I am thinking about >> refactoring it to moin-3 (py3) and getting it in a state that we could >> migrate a bunch of our wikis. > >First of all, welcome back! > >I've never been able to get into doing anything with Moin 2. It seems like >there are so many dependencies, and I just don't buy into the Python-centric >way of handling dependencies. Moreover, delegating dependency management to >Python-only tools does little to help packaging for operating system >distributions. Oh, hmmm. :-/ That would be a problem for us in Debian maybe. >Apart from that, I think that the focus of many people has been to keep what >they already have working. Unfortunately, bugs have gone unfixed upstream. I >guess that Thomas isn't so interested in Moin any more, or is this a complete >misinterpretation? Having noted that the Debian people use and improve Moin >quite a bit, maybe they have something to say about this. We've been fairly quiet lately, but see my other mail. Almost all the patches we've added are to make Moin work better for us in terms of managing users and spam. There are more intrusive changes I've been thinking about for ages [1] but I've never got around to (and maybe never will). [1] https://bugs.debian.org/705114 ... >Well, I don't know if you've been following the list, but there hasn't been >too much traffic of late. I noted recently that for some of my sites, I don't >need an active Moin instance since I'm just using Moin to deploy content. To >avoid maintenance issues - log and cache files ballooning, worries about how >secure things are - I've been writing tools to deal with Moin-formatted >content plus accessories such as the Graphviz parser. I've got a few scripts locally too. I'm particularly looking at adding configurable "this page needs checking/updating every N months, please check it" style alerts. We have a huge corpus of pages, and lots of the content is painfully out of date... :-/ -- Steve McIntyre, Cambridge, UK. steve at einval.com "...In the UNIX world, people tend to interpret `non-technical user' as meaning someone who's only ever written one device driver." -- Daniel Pead From steve at einval.com Sun Aug 19 19:59:54 2018 From: steve at einval.com (Steve McIntyre) Date: Mon, 20 Aug 2018 00:59:54 +0100 Subject: [moin-devel] Current state of Debian efforts with Moin Message-ID: <20180819235954.wziijcjp5lt4dwyy@tack.einval.com> Hey folks, As promised in irc a few days ago... We're still using 1.9.9 with a few local patches - see https://salsa.debian.org/debian/moin/tree/master/debian/patches for the full set. I've just added one new patch that's not yet released in Debian, adding support for proper netmasks when adding IP blocks - see netaddr_hosts_deny.patch. I've got two more issues that could do with fixes: * We have a large list of blocked addresses to deal with spam. We'd like to split that into two: + addresses allowed to read the wiki, but not make changes nor sign up for accounts + addresses totally blocked (the current behaviour) We have a lot of users complaining that they're blocked, particularly if they're using commercial VPN providers who can't/won't do anything about spammers. I'm hoping to work on this soon, but I've got a long TODO list on other Debian-related projects too. * A check of the licensing in Moin showed up two sets of images where licensing is not as clear as we'd like: MoinMoin/web/static/htdocs/classic/img/idea.png MoinMoin/web/static/htdocs/classic/img/redface.png MoinMoin/web/static/htdocs/classic/img/sad.png MoinMoin/web/static/htdocs/classic/img/smile.png MoinMoin/web/static/htdocs/classic/img/smile2.png MoinMoin/web/static/htdocs/classic/img/smile3.png MoinMoin/web/static/htdocs/modern/img/idea.png MoinMoin/web/static/htdocs/modern/img/redface.png MoinMoin/web/static/htdocs/modern/img/sad.png MoinMoin/web/static/htdocs/modern/img/smile.png MoinMoin/web/static/htdocs/modern/img/smile2.png MoinMoin/web/static/htdocs/modern/img/smile3.png MoinMoin/web/static/htdocs/rightsidebar/img/idea.png MoinMoin/web/static/htdocs/rightsidebar/img/redface.png MoinMoin/web/static/htdocs/rightsidebar/img/sad.png MoinMoin/web/static/htdocs/rightsidebar/img/smile.png MoinMoin/web/static/htdocs/rightsidebar/img/smile2.png MoinMoin/web/static/htdocs/rightsidebar/img/smile3.png These all contain text saying Copyright: 1999, Philipp Esselbach but there's no mention of him or a license grant anywhere I can find. MoinMoin/web/static/htdocs/classic/img/moin-new.png MoinMoin/web/static/htdocs/modern/img/moin-new.png MoinMoin/web/static/htdocs/rightsidebar/img/moin-new.png Thses all say: Copyright: 1996, Leo Doerr but there's no mention of him or a license grant anywhere I can find. There's also a range of bug reports in the Debian BTS: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=moin Most aren't too important IMHO, but others may find them interesting. -- Steve McIntyre, Cambridge, UK. steve at einval.com "... the premise [is] that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect." -- Bruce Schneier ----- End forwarded message ----- -- Steve McIntyre, Cambridge, UK. steve at einval.com Into the distance, a ribbon of black Stretched to the point of no turning back From tw at waldmann-edv.de Mon Aug 20 08:54:37 2018 From: tw at waldmann-edv.de (Thomas Waldmann) Date: Mon, 20 Aug 2018 14:54:37 +0200 Subject: [moin-devel] Current state of Debian efforts with Moin In-Reply-To: <20180819235954.wziijcjp5lt4dwyy@tack.einval.com> References: <20180819235954.wziijcjp5lt4dwyy@tack.einval.com> Message-ID: > https://salsa.debian.org/debian/moin/tree/master/debian/patches Have gone through them (again) and the current state is like that: > fix_wrong_digestmod_of_hmac.new_calls.patch Patch from download page (I guess), fixed in git already. > fix_rss.patch Fix rss_rc action to stop crashes I opened github issue, please add more details there: https://github.com/moinwiki/moin-1.9/issues/25 > incremental-dump.patch implement an incremental dump process > Implement an incremental dump process. > This also fixes dumping of the attachments. > This also allows the dump script to be interrupted. Sounds useful, but for 1.9.10 guess I'ld prefer a bug report about what is broken with the attachments and a fix-only pull request that fixes just that. > disable_gui_editor_if_fckeditor_missing.patch > hardcode_configdir.patch > htdocs_moved_to_usr_share_moin.patch > use_systemwide_libs.patch Dist packaging specific, not needed upstream. > remove_favicon.patch Cosmetic. > external_account_creation_check.patch > mail-verification.patch > netaddr_hosts_deny.patch > recaptcha.patch Lots of efforts on spam fighting. We need to fight spam bots, but the problem is that (AFAIK) they have already worked around all these mechanisms. I'll write a separate mail about my recent attempts on spam fighting. > * A check of the licensing in Moin showed up two sets of images where > licensing is not as clear as we'd like: Ugh. Well, I guess this is rather a documentation issue than a licensing issue as IIRC we never have used anything we are not permitted to use. But I also can't remember the details about these 7 icons. Guess we have them since > 10 years. (the list is longer than 7 because they were copied into multiple themes) > There's also a range of bug reports in the Debian BTS: > > https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=moin https://github.com/moinwiki/moin-1.9/issues/26 -- GPG ID: 9F88FB52FAF7B393 GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393 From tw at waldmann-edv.de Mon Aug 20 09:30:50 2018 From: tw at waldmann-edv.de (Thomas Waldmann) Date: Mon, 20 Aug 2018 15:30:50 +0200 Subject: [moin-devel] spam fighting ... Message-ID: <4ab5ec1f-2f4b-e60c-439b-0f924553bfee@waldmann-edv.de> ... the never ending story. Here are some of my recent attempts in moin-1.9 github repo (soon in 1.9.10 release): * disabled the "newaccount" action by default. This is to avoid that for internet-exposed wikis spam bots can create lots of user accounts in little time. To avoid forcing the wiki admin to create accounts on the shell (or having to toggle the availability of the newaccount action temporarily), I slightly modified the superuser's "Switch user" capability (see "Settings" of superuser): It is now able to switch to a non-existing user (and just create a new user profile on the fly). So, as a superuser one only needs to give the new username, switch to it, fill in the user's email address and then the account can be claimed by the user on the login page via the "forgot password" functionality (then setting a password, modifying profile settings as needed). While this method imposes some work on someone in the superuser list, it is totally safe against spammers: there is no way humans or spam bots can create accounts without the help of a superuser. * safer internal default ACL: Known and All now only have read permissions. This is to avoid that you accidentally give r/w permissions to the world when running a wiki on the internet. I recently shot myself into the foot by forgetting to configure a safer default ACL (only used acl_rights_before, but did not lock out All/Known for writing). Sample configs: suggest to use an EditorGroup. Again, this is a bit more work for wiki admins / group members, but it is totally safe against spammers: - no default write permissions for All (anon users) - no default write permissions for Known (anyone who managed to create an account, see also newaccount action) - you can not create/modify pages without logging in AND being explicitly allowed by an ACL (by name or by group membership) Using e.g. an EditorGroup, the work needed to give some legitimate user write permissions can be distributed onto all members of some group (e.g. EditorGroup or AdminGroup). Note: not much in the original spirit of wiki (allow changes and revert them if they are bad), but guess there are too many idiots out there for this. For wikis without internet exposure, the more strict new default settings can be undone via the wiki config, if desired. -- GPG ID: 9F88FB52FAF7B393 GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393