[MIR] python-oauth

Looks fine; just using python-central and not passing -i to dh_* but that's all ok.

Upstream code is fine.

Will just ping Kees in case he'd like to do a security review, but given the size of the code and the fact that it's in Python, I would guess probably not

Ken, mind subscribing to the bug mail? Or sub the Ubuntu One devs perhaps?

Loïc Minier wrote:
> Looks fine; just using python-central and not passing -i to dh_* but
> that's all ok.
>
> Upstream code is fine.
>
> Will just ping Kees in case he'd like to do a security review, but given
> the size of the code and the fact that it's in Python, I would guess
> probably not

It is only an implementation of OAuth 1.0, not 1.0a, so it suffers from
a session fixation attack, which can be very serious, depending on the
application.

The API would have to change quite dramatically to support 1.0a though.

Thanks,

James

18:29 < lool> kees: Hey I'm happy to promote python-oauth unless you'd like to
          do a security review; it's relatively small and trivial python lib
          but it's parsing data from the net
          https://bugs.launchpad.net/bugs/408878
18:42 < james_w> lool, kees: python-oauth implement OAuth 1.0, not 1.0a, so is
          vulnerable to what can be a very serious session fixation attack
18:42 < james_w> it's not really a "full of buffer overflows" problem, but
          something to consider
18:43 < kees> james_w: sounds like a reason to reject it to me.
18:43 < kees> lool: what needs it?
18:44 < james_w> kees: Ubuntu One, the new python-launchpadlib
18:44 < james_w> (the old one embeds a copy :-/)

That's a really serious issue but I don't know whether Ubuntu One or launchpadlib are affected

Ok since no further progress was made here in the last weeks, I'm dropping this MIR for now; please reopen when ready. Thanks!

http://code.google.com/p/oauth/source/diff?spec=svn1092&r=1092&format=side&path=/code/python/oauth/oauth.py

might be a start to making this acceptable.

Thanks,

James

I've just uploaded a new package with a new SVN snapshot including that
change. This now allows servers to implement the fixed protocol, which is
a step above forcing them to implement the broken one. I think that would
make it suitable for main now (given that none of the users we have
implements a server in Ubuntu anyway).

Thanks,

James

Setting to incomplete, after talking with dobey we may not want
this code in main. We'll discuss further and come up with a plan.

Thanks,

James

James' new python-launchpadlib upload also requires this library as a build dependency now.

<james_w> kees: geser has pointed out that as we already have two copies of oauth.py in main, does promoting it cause us a real issue, even if we may not want python-oauth in main by release in its current state
<kees> james_w: given the embeddedness, I think it makes sense to promote it as-is. we should re-address it in the future, though.
<james_w> thanks
<james_w> I will continue to track the issue so that we have one copy of oauth functionality with no known gaping holes in main by release

Promoting based on this.

Thanks,

James

Yeah, +1, with the hopes of re-addressing the protocol version issues at a later time.