[Checkins] SVN: cipher.googlepam/trunk/ MemCache security fix: do not use the same cache key for all users.
Marius Gedminas
cvs-admin at zope.org
Wed Oct 10 14:33:00 UTC 2012
Log message for revision 127961:
MemCache security fix: do not use the same cache key for all users.
Changed:
U cipher.googlepam/trunk/CHANGES.txt
U cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py
U cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py
-=-
Modified: cipher.googlepam/trunk/CHANGES.txt
===================================================================
--- cipher.googlepam/trunk/CHANGES.txt 2012-10-10 14:11:51 UTC (rev 127960)
+++ cipher.googlepam/trunk/CHANGES.txt 2012-10-10 14:32:57 UTC (rev 127961)
@@ -4,6 +4,14 @@
1.5.1 (unreleased)
------------------
+- MemCache reliability fixes:
+
+ + **SECURITY FIX**: do not use the same cache key for all users.
+
+ Previously when one user logged in successfully, others could not log in
+ using their own passwords -- but the first user could now use her password
+ to log in as anyone else.
+
- FileCache reliability fixes:
+ Avoid incorrect cache lookups (or invalidations) when a username is a
Modified: cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py 2012-10-10 14:11:51 UTC (rev 127960)
+++ cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py 2012-10-10 14:32:57 UTC (rev 127961)
@@ -138,10 +138,10 @@
self._client = memcache.Client(
['%s:%s' %(self.pam.config.get(self.SECTION_NAME, 'host'),
self.pam.config.get(self.SECTION_NAME, 'port'))],
- debug = self.pam.config.getboolean(self.SECTION_NAME, 'debug'))
+ debug=self.pam.config.getboolean(self.SECTION_NAME, 'debug'))
def _get_key(self, username):
- return self.pam.config.get(self.SECTION_NAME, 'key-prefix')
+ return self.pam.config.get(self.SECTION_NAME, 'key-prefix') + username
def _get_user_info(self, username):
return self._client.get(self._get_key(username))
Modified: cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py 2012-10-10 14:11:51 UTC (rev 127960)
+++ cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py 2012-10-10 14:32:57 UTC (rev 127961)
@@ -466,6 +466,7 @@
True
>>> pam._cache.authenticate('user', 'bad')
False
+ >>> pam._cache.authenticate('other', 'pwd')
When the cache entry times out, the cache behaves as it has no entry:
More information about the checkins
mailing list