-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running python with optimizations makes UsernamePasswordMako accept any password for any user #451
Comments
Quick fix for the authentication bypass due to optimizations #451
I think this fix introduces another issue. Classes that use UsernamePasswordMako as a base (such as LDAPAuthn) and provide their own _verify method that signals failure to the parent class with raise AssertionError() will no longer be caught. |
Although, this seems to be only affecting return resp
def _verify(self, pwd, user):
- except (ValueError, KeyError):
+ except (ValueError, KeyError, AssertionError):
def verify(self, request, **kwargs):
""" |
In my opinion, it would be better to leave this as a breaking change and signal that through semver. Raising |
The change is already in the 4.5.0 minor release (going by the git tags, apologies if this is not correct) from what I can see, which being a minor release shouldn't break break backwards compat? I Agree re: semver and not using AssertionError to indicate auth fail though. Maybe keep AssertionError in for now but give a deprecation warning and then remove it in 5.0.0? |
This issue was assigned CVE-2017-1000433 |
I'll go through the code and replace all assert statements with if statements. |
@obi1kenobi is there any update on this? If any reply, this issue will be closed in weeks, thank you |
Nothing from my end — #716 looks good to me so far. It might be worth integrating a tool like |
On the current
master
branch, theUsernamePasswordMako
class relies on anassert
statement to check the user's password:https://github.com/rohe/pysaml2/blob/9cbbd9bd9f6bfa5e9ceace064dd1af4e2ff2f68c/src/saml2/authn.py#L149
The
assert
is supposed to raise an exception if the password doesn't match. This is insecure: running python with optimizations enabled (either via the-O
or-OO
flags, or with thePYTHONOPTIMIZE
environment variable) will remove all such assertions. This means that no exception will be raised on an incorrect password, and theUsernamePasswordMako
will accept any password for any user.It would be better to have an explicit check that raises an exception to avoid this problem.
The text was updated successfully, but these errors were encountered: