[pydotorg-www] bugs.jython giving security warning

anatoly techtonik techtonik at gmail.com
Thu Jun 14 15:27:33 CEST 2012 

On Thu, Jun 14, 2012 at 8:56 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> Navigating to bugs.jython.org is giving a security warning (at least
>> from chrome) -- bugs.python.org is fine.
>
>
> I have now de-spammed the tracker, and requested rescanning, which
> caused the security warning to be dropped.
>
> It would still be good if the tracker didn't accept HTML attachments,
> but treats them all as text/plain; see bugs.python.org for a reference
> on how this can be done.

I don't what people are supposed to find by looking at
bugs.python.org, but a quick reply from roundup-devel revealed that
allow_html_file option. See below. This option since inception always
was set to "no", so the quiestion is who set it to "yes" for Jython
tracker and why?


---------- Forwarded message ----------
From: John P. Rouillard <rouilj at cs.umb.edu>
Date: Thu, Jun 14, 2012 at 4:16 PM
Subject: Re: [Roundup-devel] Fwd: [pydotorg-www] bugs.jython giving
security warning
To: anatoly techtonik <techtonik at gmail.com>
Cc: roundup-devel <roundup-devel at lists.sourceforge.net>



In message
<CAPkN8xLg0uuCptd6iBKR8ybyhQTzgBogqhucDHTsD4hF6HzQcQ at mail.gmail.com> ,
anatoly techtonik writes:

>Does Roundup allow attaching arbitrary HTML

Yes

> and render it?

Only if you tell it to.

In the tracker you will find this setting in config.ini in the [web] section:

  [web]
  # Setting this option enables Roundup to serve uploaded HTML
  # file content *as HTML*. This is a potential security risk
  # and is therefore disabled by default. Set to 'yes' if you
  # trust *all* users uploading content to your tracker.
  # Allowed values: yes, no
  # Default: no
  allow_html_file = no

if you ignore the warning and set this to yes then the HTML will be
rendered.

>Is it possible to steal Roundup cookies this way and hijack sessions?

Yes it could be used for various things.

--
                               -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

More information about the pydotorg-www mailing list