Commit - bug/pagure - d18f42d021dd69161b46af71e6b89e71610494b0

bug / pagure

`d18f42` CVE-2019-7628: Do not leak partial API keys.

1 file Authored by Randy Barlow 5 years ago , Committed by pingou 5 years ago ,

raw patch tree parent

1 file changed. 2 lines added. 3 lines removed.

    CVE-2019-7628: Do not leak partial API keys.
    
    It was discovered that Pagure was leaking API keys by e-mailing
    them to users. Few e-mail servers validate TLS certificates, so
    it is possible for man-in-the-middle attacks to read these e-mails
    and gain access to Pagure on the behalf of other users. The
    vulnerability was introduced in [0].
    
    This problem was partially addressed in a prior commit[1], but
    that commit still leaks the first 5 characters of the key which
    weakens the secret.
    
    This commit uses the description of the API key instead of any part
    of the secret in the e-mail sent to users so that none of the key
    is e-mailed over the Internet.
    
    [0] 57975ef30641907947038b608017a9b721eb33fe
    [1] 9905fb1e64341822366b6ab1d414d2baa230af0a
    
    fixes #4253
    
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com></randy@electronsweatshop.com>

files/api_key_expire_mail.py

file modified

+2 -3

SSH Hostkey/Fingerprint | Documentation | About

Logo by Pavel Lashutin

bug / pagure

Source Code

d18f42 CVE-2019-7628: Do not leak partial API keys.

1 file Authored by Randy Barlow 5 years ago , Committed by pingou 5 years ago ,

`d18f42` CVE-2019-7628: Do not leak partial API keys.