django-user-sessions icon indicating copy to clipboard operation
django-user-sessions copied to clipboard

Published 20 hours ago verified publisher icon jazzband

SECURITY: Flaw in django-user-sessions

Open blag opened this issue 1 year ago • 4 comments
trafficstars

I discovered a potential security flaw in this package, and reported it to the Jazzband security mailing address as directed to on this page over a year ago.

My initial email was acknowledged, I was told that my email was forwarded onto the project lead, and then all further contact ceased despite my repeated attempts.

I have also email Bouke directly, who was responsive, but they have stepped away from maintaining this project and cannot help me any further.

I have tried to follow the published guidelines for reporting security flaws and I have gotten nowhere after giving a very diplomatic amount of time to respond. But almost one year of non-contact far exceeds any reasonable responsible disclosure policy.

I am opening this public issue to both warn existing and potential users of a potential flaw, and to seek further guidance on who/how/where to report this.

Unless persuaded otherwise, after one week from today at most, I will publish a fix and tests for the security flaw in the form of a PR, and within 24 hours after that, being a Jazzband member myself, I will merge it into the main branch of this repository. I will then attempt to publish a release to PyPI, with my existing user credentials and permissions (not sure if this will be successful, but I feel it is the responsible thing to do).

I am more than happy to continue this discussion privately with other existing maintainers in an attempt to provide my flaw and fix, and brainstorm instructions for existing django-user-sessions users. But I will not be publicly answering any questions regarding the nature of the flaw.

blag avatar Oct 16 '24 23:10 blag

Sorry, I was travelling at the time and completely forgot about this.

~~I'll reply to your email privately.~~ Reply sent.

WhyNotHugo avatar Oct 17 '24 03:10 WhyNotHugo

Any news?

gustavi avatar Jan 06 '25 16:01 gustavi

hi @blag -- I did not see any commits in this repo happening. I previously provided a couple of commits in this repo. Also, I've done multiple releases for jazzband modules before. If you want you can reach out to me privately (email via link in my github profile) I'm sure we can work together to get this issue solved. Of course, if @WhyNotHugo can help that's even better!

Also @blag @WhyNotHugo if you had contact before, and decided the security issue was actually not a security issue or something like that, that's also great to know!! then we can close this github issue.

mbeijen avatar Jan 06 '25 20:01 mbeijen

Based on our last discussion, this is a security issue that we need to address, but I don't think we gain anything by keeping it under embargo:

  • Exploiting it requires an additional security hole via which an attacker can render custom content unescaped.
  • We don't have a mechanism to quickly push updates to all consumers ­— even if we publish a fixed version tomorrow, there's no "announcement" list where can reach all users telling them to update quickly. Downstream users will (regrettably) take a while to update.

@blag Your suggestions in your latest email seems like a sensible approach. Do you want to send a PR for it?

WhyNotHugo avatar Jan 10 '25 14:01 WhyNotHugo