Tryton - Issues

 

Issue5381

Title Limit the login size stored in attempt table
Priority feature Status resolved
Superseder Nosy List ajacoutot, bch, ced, nicoe, pokoli, sharkcz, yangoon
Type security Components trytond
Assigned To ced Keywords review
Reviews 17901002
View: 17901002

Created on 2016-03-09.16:09:59 by ced, last changed by ced.

Messages
msg25020 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-03-14.19:49:09
New changeset 4d069b887e72 by C?dric Krier in branch 'default':
Limit the login size in LoginAttempt
http://hg.tryton.org/trytond/rev/4d069b887e72


New changeset 63e4d455482a by C?dric Krier in branch '3.8':
Limit the login size in LoginAttempt
http://hg.tryton.org/trytond/rev/63e4d455482a


New changeset 9d3cbe617ec1 by C?dric Krier in branch '3.6':
Limit the login size in LoginAttempt
http://hg.tryton.org/trytond/rev/9d3cbe617ec1


New changeset 6352bafa3cc1 by C?dric Krier in branch '3.4':
Limit the login size in LoginAttempt
http://hg.tryton.org/trytond/rev/6352bafa3cc1


New changeset 4a3e2fec4b41 by C?dric Krier in branch '3.2':
Limit the login size in LoginAttempt
http://hg.tryton.org/trytond/rev/4a3e2fec4b41


New changeset 1ad881b54a08 by C?dric Krier in branch '3.0':
Limit the login size in LoginAttempt
http://hg.tryton.org/trytond/rev/1ad881b54a08
msg24735 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-03-10.15:21:37
I propose to make a security release for all series the 14th March.
I don't think it requires any special news.
msg24696 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-03-09.16:13:37
Here is review17901002
msg24695 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-03-09.16:09:58
As discussed in issue5375, a malicious user could make trytond store a very large login name in the attempt table.
I propose to put a size constraint and to truncate the login received from the outside.
I think a size of 1024 is good enough but of course any installation with a login greater than that will share the login attempt. I don't think it is a problem.

Also I put it as security issue so I think we should backport it to all series but I don't think it deserves a CVE number because there are no data leak nor privilege escalation.
History
Date User Action Args
2016-10-24 09:26:15cedlinkissue5970 superseder
2016-03-14 19:49:12cedsetstatus: testing -> resolved
messages: + msg25020
2016-03-10 15:21:38cedsetmessages: + msg24735
2016-03-09 16:13:37cedsetstatus: unread -> testing
reviews: 17901002
messages: + msg24696
keyword: + review
assignedto: ced
2016-03-09 16:09:59cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)