[Checkins] SVN: cipher.googlepam/trunk/ MemCache security fix: do not use the same cache key for all users.

Marius Gedminas cvs-admin at zope.org
Wed Oct 10 14:33:00 UTC 2012 

Log message for revision 127961:
  MemCache security fix: do not use the same cache key for all users.

Changed:
  U   cipher.googlepam/trunk/CHANGES.txt
  U   cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py
  U   cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py

-=-
Modified: cipher.googlepam/trunk/CHANGES.txt
===================================================================
--- cipher.googlepam/trunk/CHANGES.txt	2012-10-10 14:11:51 UTC (rev 127960)
+++ cipher.googlepam/trunk/CHANGES.txt	2012-10-10 14:32:57 UTC (rev 127961)
@@ -4,6 +4,14 @@
 1.5.1 (unreleased)
 ------------------
 
+- MemCache reliability fixes:
+
+  + **SECURITY FIX**: do not use the same cache key for all users.
+
+    Previously when one user logged in successfully, others could not log in
+    using their own passwords -- but the first user could now use her password
+    to log in as anyone else.
+
 - FileCache reliability fixes:
 
   + Avoid incorrect cache lookups (or invalidations) when a username is a

Modified: cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py	2012-10-10 14:11:51 UTC (rev 127960)
+++ cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py	2012-10-10 14:32:57 UTC (rev 127961)
@@ -138,10 +138,10 @@
         self._client = memcache.Client(
                 ['%s:%s' %(self.pam.config.get(self.SECTION_NAME, 'host'),
                            self.pam.config.get(self.SECTION_NAME, 'port'))],
-                debug = self.pam.config.getboolean(self.SECTION_NAME, 'debug'))
+                debug=self.pam.config.getboolean(self.SECTION_NAME, 'debug'))
 
     def _get_key(self, username):
-        return self.pam.config.get(self.SECTION_NAME, 'key-prefix')
+        return self.pam.config.get(self.SECTION_NAME, 'key-prefix') + username
 
     def _get_user_info(self, username):
         return self._client.get(self._get_key(username))

Modified: cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py	2012-10-10 14:11:51 UTC (rev 127960)
+++ cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py	2012-10-10 14:32:57 UTC (rev 127961)
@@ -466,6 +466,7 @@
       True
       >>> pam._cache.authenticate('user', 'bad')
       False
+      >>> pam._cache.authenticate('other', 'pwd')
 
     When the cache entry times out, the cache behaves as it has no entry:

More information about the checkins mailing list