Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cookie parameter protection #243

Closed
xavierba opened this issue Mar 27, 2018 · 4 comments
Closed

cookie parameter protection #243

xavierba opened this issue Mar 27, 2018 · 4 comments
Labels
bug security
Milestone
6.2.34

Comments

@xavierba
Copy link
Contributor

Hi,
sympa.conf is set to mode 640 in order to protect the cookie from being world readable.
However, the sympa.conf.bin file is mode 644, whereas it should be 640 too.

Also, cookie should be marked as obfuscated in ConfDef.pm, in order to prevent it from being displayed in the web interface.

Regards,
Xavier
@pkissman pkissman mentioned this issue Nov 30, 2017
Closed
@xavierba xavierba mentioned this issue Apr 4, 2018
Closed
@ikedas ikedas mentioned this issue Apr 4, 2018
Merged
@ikedas
Copy link
Member

ikedas commented Apr 4, 2018

We worked on the same issue. :-) Choose better one.

@xavierba
Copy link
Contributor Author

xavierba commented Apr 4, 2018

@racke didn't like my patch very much, and as I wrote I didn't even test it, I just wanted to update the issue. I'm not fond of the chown/chmod, it seems to me there is a race condition between file creation, chown and chmod steps, using umask seems slightly better, although not perfect. It would be even better to have the .bin files created with good owner/group and mode from the very start. Also, your PR is better, it handles the db_password parameter too.

@ikedas
Copy link
Member

ikedas commented Apr 5, 2018

ok @racke, could you please review these two when you come back (or submit the third by your own :))?

@Zwordi Zwordi mentioned this issue Apr 16, 2018
Closed
ikedas added a commit that referenced this issue Apr 21, 2018
@ikedas
Merge pull request #250 from ikedas/issue-243 by ikedas
9c61bb2 
cookie parameter protection #243
@ikedas ikedas added this to the 6.2.34 milestone Apr 21, 2018
@ikedas
Copy link
Member

ikedas commented Apr 21, 2018

PR has been merged.

@ikedas ikedas closed this as completed Apr 21, 2018
@pveith pveith mentioned this issue Sep 4, 2018
Closed
This was referenced Jan 21, 2020
Closed
Closed
@jth56000 jth56000 mentioned this issue Apr 22, 2020
Open
@jth56000 jth56000 mentioned this issue Jun 23, 2020
Closed
@skunktoy skunktoy mentioned this issue Jun 23, 2020
Closed
@FTackEUR FTackEUR mentioned this issue Sep 9, 2020
Closed
@iulistadmin iulistadmin mentioned this issue Mar 15, 2022
Closed
@jengels jengels mentioned this issue Dec 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
6.2.34
Development

No branches or pull requests
2 participants
@ikedas @xavierba