[Twisted-web] Security problem in session wrapper

Romain Bignon romain at inl.fr
Fri Oct 19 09:31:29 EDT 2007


Hello,

When someone has an expired session from an HTTP Authentification, this 
message is displayed in logs:

2007/10/19 13:24 CEST [HTTPChannel,2,127.0.0.1] expired session HTTP AUTH: 
romain:PASSWORD

To not show password, we can use this patch:

*** guard.py    2007-10-19 14:01:22.000000000 +0200
--- guard.py.last       2007-10-19 14:01:17.000000000 +0200
*************** class SessionWrapper:
*** 335,341 ****
          cookie = request.getCookie(self.cookieKey)
          # support HTTP auth, no redirections
          userpass = request.getUser(), request.getPassword()
!         httpAuthSessionKey = 'HTTP AUTH: %s:%s' % userpass

          for sessionKey in cookie, httpAuthSessionKey:
              if sessionKey in self.sessions:
--- 335,341 ----
          cookie = request.getCookie(self.cookieKey)
          # support HTTP auth, no redirections
          userpass = request.getUser(), request.getPassword()
!         httpAuthSessionKey = 'HTTP AUTH: %s' % request.getUser()

          for sessionKey in cookie, httpAuthSessionKey:
              if sessionKey in self.sessions:

But if the httpAuthSessionKey is used as uniq key in session dict, I don't 
know if you consider that the username can be an uniq key.

So, an other way is to remove the log line which isn't really important:

*** guard.py    2007-10-19 15:29:50.000000000 +0200
--- guard.py.last       2007-10-19 14:01:17.000000000 +0200
*************** class GuardSession(components.Componenti
*** 141,147 ****
      def expire(self):
          """Expire/logout of the session.
          """
!         log.msg("expired session %s" % str(self.uid))
          del self.guard.sessions[self.uid]

          # Logout of all portals
--- 141,147 ----
      def expire(self):
          """Expire/logout of the session.
          """
!         #log.msg("expired session %s" % str(self.uid))
          del self.guard.sessions[self.uid]

          # Logout of all portals

Regards,

-- 
Romain Bignon - http://vaginus.org

http://www.inl.fr



More information about the Twisted-web mailing list