Session Initializer Security Flaw Fix #109

Merged
merged 1 commit into from Oct 12, 2011

Conversation

Projects
None yet
2 participants
@deybhayden
Contributor

deybhayden commented Oct 12, 2011

Updating session code to create a new copy of the initializer object with each new session. Caused major security issues at my company. This flaw allowed new users to log in as the last session used by Web.py.

I used deepcopy, because we set our initializer to a nested dictionary and normal copy() doesn't cut it.

Updating session code to create a new initializer object with each ne…
…w session. Caused major security issues at my company.
@aaronsw

This comment has been minimized.

Show comment Hide comment
@aaronsw

aaronsw Oct 12, 2011

Contributor

I'm going to merge this because it seems harmless, even though I've never looked at the session code before.

If I read it correctly, it only affects people who pass an initializer dictionary containing items that need to be deepcopy'd, which I presume anyone who tries will quickly notice, so I'm not going to call a five-alarm security alert, but let me know if I'm missing something.

Contributor

aaronsw commented Oct 12, 2011

I'm going to merge this because it seems harmless, even though I've never looked at the session code before.

If I read it correctly, it only affects people who pass an initializer dictionary containing items that need to be deepcopy'd, which I presume anyone who tries will quickly notice, so I'm not going to call a five-alarm security alert, but let me know if I'm missing something.

aaronsw added a commit that referenced this pull request Oct 12, 2011

Merge pull request #109 from beardedprojamz/master
Session Initializer Security Flaw Fix

@aaronsw aaronsw merged commit 56a960a into webpy:master Oct 12, 2011

@deybhayden

This comment has been minimized.

Show comment Hide comment
@deybhayden

deybhayden Oct 12, 2011

Contributor

Thanks, I appreciate it.

Contributor

deybhayden commented Oct 12, 2011

Thanks, I appreciate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment