-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add admin_required to admin_add_user #974
Conversation
Access to the admin_add_user view should be restricted to administrators only. Unfortunately, I accidentally omitted the `@admin_required` decorator for this view. Since `@admin_required` encapsulates `@login_required`, this means that anybody with access to the Document Interface would be able to create a user accounts. This is a fix for the issue reported on Bugtraq: http://seclists.org/bugtraq/2015/Apr/8
Confirmed that this PR fixes the issue reported. |
This description of the vulnerability and its impact was sent in reply to the original email on Bugtraq. It appears to be awaiting moderation on that mailing list. Hello, SecureDrop lead developer here. We are investigating this However, this bug does not mean that production SecureDrop instances [0] https://gitweb.torproject.org/torspec.git/tree/rend-spec.txt#n924 The HidServAuth cookie is provisioned by Tor during installation and Additionally, even if an attacker were able to obtain the HidServAuth The vulnerability in question was introduced as part of one of the [1] #522 Sincerely, |
|
Does kinda leave one wondering why commits as responses to audits aren't themselves audited, that's to say why it takes X period of time for it to happen. This can only lead one to believe that any fix, or additions, after an audit is questionable. |
Need more code reviewers I would think. |
@Taipo I would agree. One of the nice things about open source is that anybody can review our code at any time 😁 But I also think we should develop a mandatory code review policy to lessen the chance of this happening in the future. At the moment, I am the only person who reviews all of the code that gets merged, and I am the only person who reviews the vast majority of the code that I write. Unfortunately, I am a fallible human and I make mistakes like the one that has happened here. |
I figured this might be what is happening. Happy to help out again where I can. |
Now testing package auto-upgrade from 0.3.1 to 0.3.2. |
@Taipo Thanks :) We've also done a bad job engaging with the open source community in recent months, and that's something I'd like to improve going forward. |
Add admin_required to admin_add_user
The fix has been packages as 0.3.2 and pushed to the production update server. The newest code is on master, tagged |
The fix has been merged back into develop in 7e7a062 for inclusion in future releases. |
Access to the admin_add_user view should be restricted to administrators
only. Unfortunately, I accidentally omitted the
@admin_required
decorator for this view. Since
@admin_required
encapsulates@login_required
, this means that anybody with access to the DocumentInterface would be able to create a user accounts.
This is a fix for the issue reported on Bugtraq: http://seclists.org/bugtraq/2015/Apr/8
This is a security-high vulnerability and will be sent out in an immediate auto-update to
securedrop-app-code
by EOD today.