| [00:07:59] |
* |
sashav has joined #pocoo |
| [00:17:02] |
* |
Kaelten has quit IRC |
| [00:52:51] |
* |
heikkit has joined #pocoo |
| [00:53:30] |
<heikkit> |
yesterday I asked about how to protect against csrf and someone (sorry, forgot the nick) pointed me to zine.utils.forms |
| [00:54:28] |
<heikkit> |
I took a look, but I think that implementation is not very secure, it seems to me that once someone has seen the secret token they can perform csrf attacks |
| [00:54:32] |
<heikkit> |
the code is here: http://dev.pocoo.org/projects/zine/browser/zine/utils/forms.py#L1644 |
| [00:54:51] |
<heikkit> |
to me it seems the problem is this code does not change the token at all |
| [00:55:15] |
<heikkit> |
afaik it would be enough to fix to just mix for example time.time() value into the string to be hashed |
| [00:57:09] |
<aa_> |
heikkit: I mentioned it, but talk to mitsuhiko :) |
| [00:57:12] |
<aa_> |
he wrote it |
| [00:57:36] |
<aa_> |
heikkit: I think the token is per request though |
| [00:58:13] |
<aa_> |
so someone would have to do a get/screen-scrape then use it |
| [00:58:20] |
<aa_> |
not sure if there is added indirection |
| [00:58:40] |
* |
sashav has quit IRC |
| [00:58:46] |
<heikkit> |
hmm, the app.cfg part leads me to think this is set once into the app and then not changed |
| [00:59:11] |
<heikkit> |
(but granted, I haven't traced that code) |
| [00:59:43] |
<aa_> |
heikkit: that token in app.cfg is for secure cookie hashing |
| [01:00:42] |
<heikkit> |
aa_: yeah, but does app.cfg['secret_key'] change or not? |
| [01:03:03] |
<heikkit> |
it's loaded in here: http://dev.pocoo.org/projects/zine/browser/zine/application.py#L604 |
| [01:03:17] |
<heikkit> |
haven't seen any place where it's changed, but I didn't look too hard... |
| [01:04:07] |
<aa_> |
heikkit: no, that doesn't change |
| [01:05:56] |
<heikkit> |
so then it is like I thought: assuming you can record the token value once per user+path, you can perform csrf attacks as that user on that path |
| [01:06:15] |
<aa_> |
but that is not related to forms |
| [01:06:22] |
<aa_> |
the form csrf token is per-request |
| [01:07:31] |
<heikkit> |
I don't see how. This value is used as _csrf_token field in the forms |
| [01:07:52] |
<heikkit> |
http://dev.pocoo.org/projects/zine/browser/zine/utils/forms.py#L692 |
| [01:15:18] |
<prencher> |
goddamnit alowry how do you find all these little things :P |
| [01:15:26] |
<alowry> |
heh |
| [01:16:36] |
<alowry> |
If I have time later this week I can whip up some simple tests to exercise the forms & fields. At least at smoke-test level |
| [01:18:31] |
<prencher> |
been meaning to write them up but we wanted to finish up the docs first.. then server move and stuff got in the way a bit |
| [01:19:27] |
* |
alowry nods. Always too much to do and not enough time. |
| [01:20:32] |
<prencher> |
i'd love some unittests (we use py.test on that note) if you have the time though, for sure |
| [01:31:01] |
<prencher> |
alowry - btw my bad on the hg.. to make it cleanly import you have to use hg export tip(or specific rev) |
| [01:31:55] |
<prencher> |
doesn't make a big difference, just easier to import that way.. thought it could hoist it from a tip -p but seems not |
| [01:32:54] |
<prencher> |
(and it means you get commit user credit, woo ;) |
| [01:32:58] |
<alowry> |
heh |
| [01:50:56] |
* |
aconbere has quit IRC |
| [01:57:02] |
* |
aconbere has joined #pocoo |
| [02:42:47] |
* |
Baumichel has quit IRC |
| [02:59:08] |
* |
heikkit has quit IRC |
| [03:03:11] |
* |
aconbere has quit IRC |
| [03:12:30] |
* |
alowry has quit IRC |
| [03:33:02] |
* |
mtrichardson has quit IRC |
| [03:38:50] |
* |
alowry has joined #pocoo |
| [04:48:30] |
* |
sashav has joined #pocoo |
| [04:50:55] |
* |
sashav has joined #pocoo |
| [05:20:59] |
* |
alowry has quit IRC |
| [06:03:58] |
* |
heikkit has joined #pocoo |
| [06:45:57] |
* |
Eloff_ has joined #pocoo |
| [06:46:26] |
* |
Eloff has quit IRC |
| [06:52:02] |
* |
davidcramer has joined #pocoo |
| [06:55:16] |
<mitsuhiko> |
heikkit: the secret key is the salt |
| [06:55:18] |
<mitsuhiko> |
or one salt |
| [06:55:42] |
<mitsuhiko> |
path + user id + secret key -> hashed -> csrf key |
| [06:55:52] |
<mitsuhiko> |
granted: hmac would make it a bit more secure |
| [06:59:37] |
<heikkit> |
mitsuhiko: right, but what I am saying is that this csrf key can be recorded, and once the attacker has it recorded, he can start doing csrf attacks |
| [07:00:02] |
<heikkit> |
mitsuhiko: I think you should change the csrf key for every form you serve |
| [07:00:22] |
<mitsuhiko> |
heikkit: how would the attacker record the key? |
| [07:00:30] |
<mitsuhiko> |
he would have to be logged in as that user |
| [07:00:56] |
<mitsuhiko> |
and if he's logged in as his victim you need no csrf protection any longer |
| [07:01:13] |
<heikkit> |
no, assuming plain http connection he would just have to have the ability to record the traffic between the site and the victim |
| [07:01:23] |
<heikkit> |
assuming no ssl of course |
| [07:01:43] |
<mitsuhiko> |
you can't protect against a man in the middle attack without ssl |
| [07:01:57] |
<asmodai> |
wow |
| [07:02:00] |
<mitsuhiko> |
if i change the key on a per request basis i would have to stash the hash into the cookie |
| [07:02:01] |
<asmodai> |
mitsuhiko is up early |
| [07:02:02] |
<heikkit> |
right, but in this case it would be enough for the attacker to record this just once |
| [07:03:16] |
<heikkit> |
in practice I think it would be ok to just mix time.time() into the values you take the hash of |
| [07:03:28] |
<mitsuhiko> |
then i can't reverse the operation |
| [07:03:40] |
<mitsuhiko> |
the big advantage of the implementation in zine right now is that i don't have to store the value |
| [07:03:42] |
<heikkit> |
yeah, you'd need to store it in the session or something |
| [07:03:55] |
<mitsuhiko> |
so someone would have to sit between the victim and the server |
| [07:04:05] |
<mitsuhiko> |
but in that situation you are screwed anyways |
| [07:04:52] |
<heikkit> |
but just recording is non-invasive, you don't know it is happening |
| [07:04:59] |
* |
Eloff_ has quit IRC |
| [07:05:10] |
<heikkit> |
then you attack with csrf and you end up pointing fingers at the victim |
| [07:05:55] |
<mitsuhiko> |
heikkit: in which situation is an attacker just recording and too stupid to modify the data sent? |
| [07:06:31] |
<heikkit> |
say you drive to the parking lot of a company, and just record the wireless traffic for a while |
| [07:06:54] |
<mitsuhiko> |
if the company is using a hub the company has a problem ;) |
| [07:07:01] |
<heikkit> |
then go home, make an attack site, entice some company employee visit your site which contains csrf attack |
| [07:07:16] |
<heikkit> |
well, that was just an example |
| [07:09:03] |
<mitsuhiko> |
for that situation someone can still implement a one-time token for zine's forms later |
| [07:09:11] |
<mitsuhiko> |
for the moment it's better than nothing |
| [07:10:36] |
<heikkit> |
yeah |
| [07:47:32] |
* |
davidcramer has quit IRC |
| [07:47:56] |
* |
davidcramer has joined #pocoo |
| [08:10:44] |
* |
leche has joined #pocoo |
| [08:34:47] |
* |
leche has quit IRC |
| [08:41:57] |
* |
leche has joined #pocoo |
| [09:48:34] |
* |
damjan has quit IRC |
| [09:50:52] |
* |
damjan has joined #pocoo |
| [10:15:03] |
* |
heikkit has quit IRC |
| [10:21:15] |
* |
davidcramer has quit IRC |
| [10:21:27] |
* |
davidcramer has joined #pocoo |
| [10:29:19] |
* |
leche has quit IRC |
| [11:12:20] |
* |
real-dev has joined #pocoo |
| [11:12:21] |
* |
davidcramer has quit IRC |
| [11:12:34] |
* |
davidcramer has joined #pocoo |
| [11:14:21] |
* |
pete__c has quit IRC |
| [11:14:22] |
* |
_P_ has quit IRC |
| [11:14:22] |
* |
dev has quit IRC |
| [11:14:26] |
* |
real-dev is now known as dev |
| [11:15:02] |
* |
_P_ has joined #pocoo |
| [11:15:03] |
* |
pete__c has joined #pocoo |
| [12:37:33] |
* |
davidcramer has quit IRC |
| [12:38:10] |
* |
davidcramer has joined #pocoo |
| [13:05:37] |
* |
luks_ is now known as luks |
| [13:06:58] |
* |
leche has joined #pocoo |
| [13:25:33] |
<CIA-49> |
python-doctools: georg.brandl * r66845 /doctools/trunk/EXAMPLES: Add new projects/URLs. |
| [13:26:17] |
* |
sashav has quit IRC |
| [13:27:44] |
<CIA-49> |
python-doctools: georg.brandl * r66846 /doctools/branches/0.4.x/ (EXAMPLES sphinx/ext/autodoc.py CHANGES): Fix an autodoc UnboundLocalError. |
| [13:28:33] |
* |
leche has quit IRC |
| [13:28:51] |
<CIA-49> |
python-doctools: georg.brandl * r66847 /doctools/branches/0.4.x/ (sphinx/__init__.py CHANGES): Release 0.4.3. |
| [13:32:06] |
<CIA-49> |
python-doctools: georg.brandl * r66848 /doctools/tags/0.4.3: Tag 0.4.3. |
| [13:39:56] |
* |
sashav has joined #pocoo |
| [14:09:20] |
* |
sashav has quit IRC |
| [14:48:24] |
* |
Baumichel has joined #pocoo |
| [15:07:43] |
* |
miracle2k has joined #pocoo |
| [15:08:36] |
<miracle2k> |
so, jinja2 doesn't have a with-tag, correct? or is there another feature like it? |
| [15:55:17] |
<plaes> |
"with" ? |
| [15:55:35] |
<plaes> |
miracle2k: what should this "with" tag do? |
| [15:56:51] |
<miracle2k> |
plaes: django has a with-tag that works basically like: {% with very.complex.expression as xyz %} {{ xyz.attr }} {% endwith %} |
| [16:07:02] |
<plaes> |
ah.. check out the macro |
| [16:13:57] |
* |
EnTeQuAk has joined #pocoo |
| [16:15:48] |
<birkenfeld> |
miracle2k: am I wrong or can you just du {% set xyz = very.complex.expression %} in jinja? |
| [16:27:45] |
<miracle2k> |
birkenfeld: well, possibly. but that's not quite as elegant, since the variable won't be unset, not automatically at least |
| [16:28:50] |
<birkenfeld> |
miracle2k: you need an {% endswith %} for that in Django... |
| [16:29:43] |
<miracle2k> |
sure |
| [16:30:01] |
<miracle2k> |
hmm. can you delete/unset a variable in jinja? |
| [16:33:25] |
* |
sashav has joined #pocoo |
| [16:37:59] |
* |
maix has joined #pocoo |
| [16:50:55] |
* |
Crast has quit IRC |
| [17:03:31] |
* |
sashav has quit IRC |
| [17:12:04] |
* |
davidcramer has quit IRC |
| [17:12:40] |
* |
davidcramer has joined #pocoo |
| [17:13:14] |
* |
sashav has joined #pocoo |
| [17:23:18] |
* |
stifal has joined #pocoo |
| [17:38:26] |
* |
alowry has joined #pocoo |
| [17:49:08] |
* |
davidcramer has quit IRC |
| [17:49:18] |
* |
sashav has quit IRC |
| [17:49:42] |
* |
davidcramer has joined #pocoo |
| [17:53:05] |
* |
thatch is now known as thatch_work |
| [18:15:08] |
* |
heikkit has joined #pocoo |
| [18:21:10] |
* |
miracle2k has left #pocoo |
| [18:36:34] |
* |
leche has joined #pocoo |
| [18:45:57] |
* |
izibi has joined #pocoo |
| [18:59:09] |
* |
davidcramer has quit IRC |
| [18:59:23] |
* |
davidcramer has joined #pocoo |
| [19:16:31] |
* |
benoitc has quit IRC |
| [19:22:43] |
* |
sashav has joined #pocoo |
| [19:22:51] |
* |
benoitc has joined #pocoo |
| [19:22:55] |
<benoitc> |
morning' |
| [19:30:11] |
* |
benoitc has quit IRC |
| [19:31:12] |
* |
benoitc has joined #pocoo |
| [19:43:54] |
* |
benoitc is now known as Guest17806 |
| [19:45:05] |
* |
mtrichardson has joined #pocoo |
| [19:55:25] |
* |
Guest17806 has quit IRC |
| [19:57:59] |
* |
sashav has quit IRC |
| [20:04:30] |
* |
jinks has quit IRC |
| [20:04:45] |
* |
jinks has joined #pocoo |
| [20:29:25] |
* |
sashav has joined #pocoo |
| [20:33:16] |
* |
EnTeQuAk has quit IRC |
| [20:34:15] |
* |
EnTeQuAk has joined #pocoo |
| [20:36:57] |
* |
EnTeQuAk has quit IRC |
| [20:57:36] |
* |
sashav has quit IRC |
| [20:58:03] |
* |
sashav has joined #pocoo |
| [21:00:50] |
* |
jpcw has quit IRC |
| [21:12:45] |
* |
sashav has quit IRC |
| [21:20:04] |
* |
benoitc has joined #pocoo |
| [21:20:13] |
<benoitc> |
hi |
| [21:21:03] |
<birkenfeld> |
hi! |
| [21:34:09] |
* |
sashav has joined #pocoo |
| [21:35:48] |
* |
sashav has quit IRC |
| [21:36:46] |
* |
[diecast] has quit IRC |
| [21:49:24] |
* |
stifal has quit IRC |
| [21:51:13] |
* |
aconbere has joined #pocoo |
| [21:57:09] |
* |
davidcramer has quit IRC |
| [21:58:16] |
* |
davidcramer has joined #pocoo |
| [22:05:54] |
* |
sashav has joined #pocoo |
| [22:13:19] |
* |
sashav has quit IRC |
| [22:13:56] |
<heikkit> |
after I blogged about my first werkzeug app (http://www.heikkitoivonen.net/blog/2008/10/07/office-resource-finder/), I received emails from people wishing werkzeug had a wiki |
| [22:14:17] |
<heikkit> |
are there any plans on adding a wiki to the community tools? http://werkzeug.pocoo.org/community/ |
| [22:14:27] |
<birkenfeld> |
heikkit: I saw the post -- nice app :) |
| [22:14:28] |
<mitsuhiko> |
well. there is the trac :) |
| [22:14:33] |
<heikkit> |
thanks :) |
| [22:15:17] |
<ronny> |
heikkit: nice app, but ew for using configobj |
| [22:15:30] |
<ronny> |
(i had much bad blood with that fuckup) |
| [22:15:43] |
<heikkit> |
ooh, how could I miss - there already was a wiki link on the community page |
| [22:15:55] |
<heikkit> |
ronny: what would you use instead? |
| [22:16:39] |
<ronny> |
i'd say depends, im experimenting with vellum, an own ini parser called simleconfig, and configparser on occasion |
| [22:16:44] |
<mitsuhiko> |
what's wrong with configobj? |
| [22:16:48] |
<ronny> |
*simpleconfig |
| [22:17:00] |
<mitsuhiko> |
hi birkenfeld :) |
| [22:17:06] |
<birkenfeld> |
heya |
| [22:17:24] |
<ronny> |
mitsuhiko: mostly the werid conplexity |
| [22:17:46] |
<birkenfeld> |
and that makes it a fuckup? |
| [22:17:51] |
<ronny> |
the output is really nasty if you throw anything complex at it |
| [22:18:00] |
<ronny> |
and it shipped with broken doctests |
| [22:18:23] |
<ronny> |
well, and the code is a hell of encoding "repair" hacks |
| [22:18:59] |
<heikkit> |
I haven't looked at ConfigObj insides, it has just always worked for me and easy to use |
| [22:19:38] |
<heikkit> |
I haven't tried to anything fancy, though |
| [22:23:27] |
<ronny> |
also its kinda nasty to have ~2500 loc of stuff if all you want is a simple way from ini to rather flat config data |
| [22:25:13] |
* |
sashav has joined #pocoo |
| [22:27:50] |
<steg> |
mitsuhiko: gf is now using werkzeug for her 4th year project :P |
| [22:28:01] |
<steg> |
i haven't decided whether this is a good thing or a bad thing ;) |
| [22:28:16] |
<mitsuhiko> |
time will tell :) |
| [22:28:21] |
<steg> |
it means i get called upon a lot to help, and i need to work on my teaching skills :P |
| [22:28:55] |
<steg> |
what was strange to me was that she got closures instantly when i explained them, but had real trouble getting what **foo and *bar did |
| [22:29:27] |
<steg> |
i was the opposite when learning |
| [22:29:31] |
<mitsuhiko> |
closures are what you expect from languages anyways |
| [22:30:01] |
<steg> |
mitsuhiko: i don't know... i've tried to explain them to java people before. They tend to have most trouble with the idea of functions as first-class |
| [22:30:17] |
<steg> |
had most success with the "pretend it's an object" approach ;) |
| [22:30:44] |
<mitsuhiko> |
closures for java programmers: "like inner classes with less boilerplate code" |
| [22:30:52] |
<steg> |
yeah |
| [22:31:50] |
<birkenfeld> |
if the only thing you have is classes, everything looks like an perfect match for Java? |
| [22:39:46] |
<steg> |
hmmph, coming to think of it |
| [22:40:07] |
<steg> |
she probably got closures immediately because we learnt haskell in first year :P |
| [22:42:41] |
<ronny> |
lol |
| [22:46:30] |
* |
sashav_ has joined #pocoo |
| [22:47:23] |
* |
leche has quit IRC |
| [22:50:15] |
<ronny> |
oO |
| [22:50:44] |
<ronny> |
ok, configobj is insane really - incompatible behaviour changes in patchlevel versions ;P |
| [23:06:35] |
* |
sashav has quit IRC |
| [23:07:37] |
* |
sashav_ has quit IRC |
| [23:21:37] |
* |
izibi has quit IRC |