[Twisted-web] Security problem in session wrapper
Romain Bignon
romain at inl.fr
Fri Oct 19 09:31:29 EDT 2007
Hello,
When someone has an expired session from an HTTP Authentification, this
message is displayed in logs:
2007/10/19 13:24 CEST [HTTPChannel,2,127.0.0.1] expired session HTTP AUTH:
romain:PASSWORD
To not show password, we can use this patch:
*** guard.py 2007-10-19 14:01:22.000000000 +0200
--- guard.py.last 2007-10-19 14:01:17.000000000 +0200
*************** class SessionWrapper:
*** 335,341 ****
cookie = request.getCookie(self.cookieKey)
# support HTTP auth, no redirections
userpass = request.getUser(), request.getPassword()
! httpAuthSessionKey = 'HTTP AUTH: %s:%s' % userpass
for sessionKey in cookie, httpAuthSessionKey:
if sessionKey in self.sessions:
--- 335,341 ----
cookie = request.getCookie(self.cookieKey)
# support HTTP auth, no redirections
userpass = request.getUser(), request.getPassword()
! httpAuthSessionKey = 'HTTP AUTH: %s' % request.getUser()
for sessionKey in cookie, httpAuthSessionKey:
if sessionKey in self.sessions:
But if the httpAuthSessionKey is used as uniq key in session dict, I don't
know if you consider that the username can be an uniq key.
So, an other way is to remove the log line which isn't really important:
*** guard.py 2007-10-19 15:29:50.000000000 +0200
--- guard.py.last 2007-10-19 14:01:17.000000000 +0200
*************** class GuardSession(components.Componenti
*** 141,147 ****
def expire(self):
"""Expire/logout of the session.
"""
! log.msg("expired session %s" % str(self.uid))
del self.guard.sessions[self.uid]
# Logout of all portals
--- 141,147 ----
def expire(self):
"""Expire/logout of the session.
"""
! #log.msg("expired session %s" % str(self.uid))
del self.guard.sessions[self.uid]
# Logout of all portals
Regards,
--
Romain Bignon - http://vaginus.org
http://www.inl.fr
More information about the Twisted-web
mailing list