1
I reviewed python-repoze.who version 1.0.18-4 from Ubuntu vivid. This
2
should not be considered a full security audit but instead a quick gauge
5
- python-repoze,who is a generic authentication middleware for python
6
applications; it sits between a wsgi server and application and modifies
7
http requests and responses.
8
- Build-Depends: debhelper, cdbs, python-dev, dh-python,
9
python-setuptools, python-sphinx, python-zope.interface, python-paste
11
- pre/post inst/rm scripts automatically generated
14
- No setuid executables
18
- Test suite run during the build
20
- No subprocesses spawned
21
- Files read under command of configurations
22
- Logging looked simple
23
- No environment variables used
24
- No privileged portiona of code
25
- Networking driven by webserver
26
- Slight cryptography used, actual provided password storage mechanisms
33
While reviewing this code I found a few things that seemed worth reporting
36
- ./repoze/who/plugins/htpasswd.py plain_check() function allows
37
timing-based password discovery, crypt_check() hard-codes two character
39
- InsecureCookiePlugin doesn't appear to authenticate or encrypt the
40
cookie data, or set httponly flag or set secure flag; ignoring the
41
secure flag makes some sense for an InsecureCookie mechanism but lacking
42
httponly and authenicated data is perhaps surprising to authors.
43
- doesn't appear to use HttpOnly cookie flag
44
- no csrf protection in default login form in repoze/who/plugins/form.py
45
- unknown session fixation prevention in default login form
46
- default_password_compare in ./repoze/who/plugins/sql.py does not
47
salt or iterate passwords; plaintext variant allows timing-based
48
password guessing, and stored passwords cannot start with (SHA)
50
I believe the core code of python-repoze.who is reliable enough, but
51
the default providers for backends and forms don't look like they are
52
production quality. Passwords are stored in plaintext, or insufficiently
53
salted and iterated, and timing-sensitive comparison routines are used.
54
The login form doesn't protect against session fixation or csrf. Simple
55
and usual protections on cookies are ignored.
57
This presents a dilemma; essentially, all non-toy programs have to provide
58
their own storage and authentication plugins to be able to safely use this
59
tool. It seems incorrect to promote a project to main with many known
60
flaws in the defaults, but if no real tools actually use the defaults,
61
the issues might be mostly acedemic.
63
The use by python-pysaml2 seemed safe enough.
65
The upstream authors have not yet responded to my questions. The above
66
issues may warrant security fixes, issues that would be best to fix
67
before shipment if we can. I'm concerned to hear that this package is
68
orphaned in Debian because it also feels orphaned upstream.
70
While we probably could take on maintenance of this package ourselves I
71
have to ask if we should use a different mechanism for login tracking.
73
So I propose a conditional ACK to promote this package to main,
74
conditional on two pieces:
76
*1* a statement from the server team that this package is the best known
77
way for the pysaml2 tool to manage logins.
79
*2* a statement from the server team that they will assist in maintenance
80
efforts for the supported life of this package, and will ask to demote it
81
again in the future if a viable replacement is found.