Django Security Releases Issued (opens in new tab)

(djangoproject.com)

61 pointszain15y ago19 comments

19 comments

16 comments · 5 top-level

svlla15y ago· 5 in thread

"This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case."

Good choice. I wonder when weak password hashing in Django will be given the same exception.

simonw15y ago

As discussed on another thread, shipping bcrypt by default isn't technically feasible yet due to the Python binding for it failing to compile cleanly on Windows: http://news.ycombinator.com/item?id=2177989

tedunangst15y ago

Something like PBKDF2 is trivially implementable in pure python with the provided primitives. There's no excuse not to do it.

ylem15y ago

I've been looking at this recently. I'm still not sure about using bcrypt (SHA512 for example is part of the python standard library), but we should at least be using SHA2 instead of SHA1. One possibility is to use google's KeyGen to encrypt the password, but bottom line, I think that the password hashing should be the responsibility of the backend (with the default doing the "right" thing).

I've also been looking at trying to make an username===email backend for django (instead of a user generated--part of the battle of avoiding too many user names that people just forget) and it's hard because a lot of things in the auth module are fairly fixed--regardless of the backend that you choose (for example, the regex on the username, or the length of fields). There have been some other attempts (like emailauth) to address this, but it's actually a large undertaking if you want the same functionality as the auth module.

How responsive are the django developers? They seemed fairly certain that they weren't going to change the defaults for the username/email address to preserve backwards compatibility. Is it better to make a whole new authorization module (complete with middleware) or to patch theirs?

bryanh15y ago

Why couldn't they use SHA2 and make it go around X times? The bcrypt plugin [1] maintains backwards compatibility with old passwords just fine.

Also, if you are cool with rolling your own registration forms/etc. you can easily just set the email as the username and email. You lose the more obscure but technically valid characters for email (a-z A-Z 0-9 @.+-_ are all fine), but 99% of emails work fine in the Django username field. Or maybe I just haven't hit some obvious problem with that implementation yet...

[1] https://github.com/dwaiter/django-bcrypt/

1 more reply

nbpoole15y ago

Good password hashing is important. However, every single Django application being vulnerable to CSRF is a much bigger deal. ;-)

aston15y ago· 4 in thread

These guys are not the only ones to make this mistake. Check the first line of Tornado's XSRF check:

    def check_xsrf_cookie(self):
        """Verifies that the '_xsrf' cookie matches the '_xsrf' argument.

        To prevent cross-site request forgery, we set an '_xsrf' cookie
        and include the same '_xsrf' value as an argument with all POST
        requests. If the two do not match, we reject the form submission
        as a potential forgery.

        See http://en.wikipedia.org/wiki/Cross-site_request_forgery
        """
        if self.request.headers.get("X-Requested-With") == "XMLHttpRequest":
            return
        token = self.get_argument("_xsrf", None)
        if not token:
            raise HTTPError(403, "'_xsrf' argument missing from POST")
        if self.xsrf_token != token:
            raise HTTPError(403, "XSRF cookie does not match POST argument")

nbpoole15y ago

I wouldn't call it a mistake. If you had asked me before this afternoon whether trusting X-Requested-With would protect against CSRF, I would have said yes. I still have no idea how you can send arbitrary cross-domain requests in Java and Flash: the fact that you can do so is a security vulnerability in and of itself.

That being said, I'm going to let them know to fix that code. ;)

marcinw15y ago

Tipfy looks to be as well:

http://code.google.com/p/tipfy/source/browse/tipfyext/wtform...

moraesmoraes15y ago

A new release fixed this issue. Thank you!

bdarnell15y ago

This has been fixed in the just-released Tornado 1.1.1.

bryanh15y ago· 2 in thread

A bothersome change, especially for all those employing jQuery plugins that don't have a quick method to add the CSRF token to AJAX requests.

I think I might just add @csrf_exempt, as long as we aren't changing vital info via the request...

nbpoole15y ago

Out of curiosity, why doesn't hooking beforeSend (as suggested in the blog post) work?

bryanh15y ago

I haven't had a chance to try it, but if it gracefully handles every jQuery plug-ins' use of the .ajax() method, I don't see why it wouldn't work.

1 more reply

ubernostrum15y ago

Since this also affected Rails, a minor clarification:

We spoke with Ben Bangert of Pylons/Pyramid, and did some checking of source code there and in other projects, and as far as we knew last week, Django was the only Python framework affected by the CSRF issue. If you find another project which is affected, please notify them ASAP.

nbpoole15y ago

Cross-posting the recent discussion about the new Ruby on Rails release, which included a fix for the same CSRF issue:

http://news.ycombinator.com/item?id=2195283

j / k navigate · click thread line to collapse

19 comments

16 comments · 5 top-level

svlla15y ago· 5 in thread

"This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case."

Good choice. I wonder when weak password hashing in Django will be given the same exception.

simonw15y ago

tedunangst15y ago

Something like PBKDF2 is trivially implementable in pure python with the provided primitives. There's no excuse not to do it.

ylem15y ago

bryanh15y ago

Why couldn't they use SHA2 and make it go around X times? The bcrypt plugin [1] maintains backwards compatibility with old passwords just fine.

[1] https://github.com/dwaiter/django-bcrypt/

1 more reply

nbpoole15y ago

Good password hashing is important. However, every single Django application being vulnerable to CSRF is a much bigger deal. ;-)

aston15y ago· 4 in thread

These guys are not the only ones to make this mistake. Check the first line of Tornado's XSRF check:

    def check_xsrf_cookie(self):
        """Verifies that the '_xsrf' cookie matches the '_xsrf' argument.

        To prevent cross-site request forgery, we set an '_xsrf' cookie
        and include the same '_xsrf' value as an argument with all POST
        requests. If the two do not match, we reject the form submission
        as a potential forgery.

        See http://en.wikipedia.org/wiki/Cross-site_request_forgery
        """
        if self.request.headers.get("X-Requested-With") == "XMLHttpRequest":
            return
        token = self.get_argument("_xsrf", None)
        if not token:
            raise HTTPError(403, "'_xsrf' argument missing from POST")
        if self.xsrf_token != token:
            raise HTTPError(403, "XSRF cookie does not match POST argument")

nbpoole15y ago

That being said, I'm going to let them know to fix that code. ;)

marcinw15y ago

Tipfy looks to be as well:

http://code.google.com/p/tipfy/source/browse/tipfyext/wtform...

moraesmoraes15y ago

A new release fixed this issue. Thank you!

bdarnell15y ago

This has been fixed in the just-released Tornado 1.1.1.

bryanh15y ago· 2 in thread

A bothersome change, especially for all those employing jQuery plugins that don't have a quick method to add the CSRF token to AJAX requests.

I think I might just add @csrf_exempt, as long as we aren't changing vital info via the request...

nbpoole15y ago

Out of curiosity, why doesn't hooking beforeSend (as suggested in the blog post) work?

bryanh15y ago

I haven't had a chance to try it, but if it gracefully handles every jQuery plug-ins' use of the .ajax() method, I don't see why it wouldn't work.

1 more reply

ubernostrum15y ago

Since this also affected Rails, a minor clarification:

nbpoole15y ago

Cross-posting the recent discussion about the new Ruby on Rails release, which included a fix for the same CSRF issue:

http://news.ycombinator.com/item?id=2195283

j / k navigate · click thread line to collapse