MemCache security fix: do not use the same cache key for all users.

zopefoundation · Oct 10, 2012 · fb0c5a1 · fb0c5a1
1 parent 6894a6d
commit fb0c5a1
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -4,6 +4,14 @@ CHANGES
 1.5.1 (unreleased)
 ------------------
 
+- MemCache reliability fixes:
+
+  + **SECURITY FIX**: do not use the same cache key for all users.
+
+    Previously when one user logged in successfully, others could not log in
+    using their own passwords -- but the first user could now use her password
+    to log in as anyone else.
+
 - FileCache reliability fixes:
 
   + Avoid incorrect cache lookups (or invalidations) when a username is a

diff --git a/src/cipher/googlepam/pam_google.py b/src/cipher/googlepam/pam_google.py
@@ -138,10 +138,10 @@ def __init__(self, pam):
         self._client = memcache.Client(
                 ['%s:%s' %(self.pam.config.get(self.SECTION_NAME, 'host'),
                            self.pam.config.get(self.SECTION_NAME, 'port'))],
-                debug = self.pam.config.getboolean(self.SECTION_NAME, 'debug'))
+                debug=self.pam.config.getboolean(self.SECTION_NAME, 'debug'))
 
     def _get_key(self, username):
-        return self.pam.config.get(self.SECTION_NAME, 'key-prefix')
+        return self.pam.config.get(self.SECTION_NAME, 'key-prefix') + username
 
     def _get_user_info(self, username):
         return self._client.get(self._get_key(username))

diff --git a/src/cipher/googlepam/tests/test_doc.py b/src/cipher/googlepam/tests/test_doc.py
@@ -466,6 +466,7 @@ def doctest_MemcacheCache():
       True
       >>> pam._cache.authenticate('user', 'bad')
       False
+      >>> pam._cache.authenticate('other', 'pwd')
 
     When the cache entry times out, the cache behaves as it has no entry: