Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
encode_ip_timestamp has bug with IPv6 #831
The solution is relatively simple to ensure that an exception doesn't occur when we have an ipv6 address.
Looking at the function: https://github.com/Pylons/pyramid/blob/master/pyramid/authentication.py#L748 it doesn't provide anything of value.
There is no reason from a cryptographic standpoint to convert the timestamp to bytes (e.g. str(time.time()) would just do as well), and then concatenating the IP address, to then pass it into a hash function.
Could be refactored as follows:
On another note, the default hashalg on https://github.com/Pylons/pyramid/blob/master/pyramid/authentication.py#L412 should be changed to SHA-1 at least, or SHA-2 family (SHA-256). Although I am not aware of any inherent issues with HMAC(MD5) it is no longer recommended for use, HMAC(SHA-1) has also been deprecated by NIST, and HMAC(SHA-192) or higher is recommended, although it looks like a warning is thrown about the default value (excellent!)
If I get some time later tonight I may make the changes above to drop the requirement for the
@thanhlim do be aware that using the
functionality will mean that if the user has their IPv6 addresses given to them using SLAAC that their session ticket will expire whenever their IP changes, which is dependant on their local router advertising the prefix, and the preferred lifetime/valid lifetime. See http://en.wikipedia.org/wiki/IPv6_address#Address_lifetime for more information. Using the IP address in the auth ticket will mean your users get logged out sooner and more often, so your mile-age may vary and caveat emptor.
Agreed. I've been planning to migrate away from MD5 in the very near future and was planning on those changes.
Also, thinking about it, I should remove the requirement to use include_ip as well. Even though the app runs almost exclusively on the mobile device using wireless, and not wifi, and thus using MobileIP, there could be issues with technology changes that might change the IP address.
Anyway, just wanted to give you the heads up about what I saw out in my logs.