[MIR] python-oauth2

Bug #1213934 reported by Chuck Short
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-oauth2 (Ubuntu)
Won't Fix
Critical
Unassigned

Bug Description

Availability: Currently in universe
Rationale: Dependency for keystone.
Security: No security history.
Quality Assurance: Package works out of the box with no prompting. There is no major bugs in Ubuntu and the is no major bugs in Debian.
Standards Compliance: FHS and Debian Policy compliant.
Maintenance: Simple python package that the Ubuntu Server Team will take care of.
Dependencies: All are in main

Revision history for this message
Michael Terry (mterry) wrote :

Ubuntu prefers python-oauthlib for OAuth. See http://www.wefearchange.org/2012/11/uds-update-1-oauth.html for the backstory.

The one missing piece of python-oauthlib is lack of server side bits of OAuth. I'm guessing that keystone needs those server side bits? And thus can't use python-oauthlib?

Changed in python-oauth2 (Ubuntu):
status: New → Incomplete
Revision history for this message
Chuck Short (zulcss) wrote :

I believe this is correct and considering how late in the cycle I dont think its possible to switch it to oauthlib considering upstream and ubuntu are deep in FF.

Revision history for this message
Michael Terry (mterry) wrote :

OK, assigning to our local security MIR member then, since it seems this could be sensitive.

Changed in python-oauth2 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Incomplete → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can someone authoritatively find out if python-oauthlib still doesn't have what keystone needs (eg, ask barry)? Seth can take a look at this after that is determined.

Changed in python-oauth2 (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Revision history for this message
Barry Warsaw (barry) wrote :

Looks like the latest version of oauthlib has some server support added, though you'll have to determine whether it's enough for your needs. I will file an FFe to get saucy's version updated the latest debian version.

Chuck Short (zulcss)
Changed in python-oauth2 (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed python-oauth2 version 1.5.211-2ubuntu3 as checked into saucy.
This should not be considered a full security audit but instead just a
quick check of code quality.

- This library provides a Python implementation of Oauth2 client and
  server, so http clients can use private resources without exposing a
  username / password combination to the http client.
- Uses HMAC, SHA1
- Uses python-httplib2 for networking
- Intended use of this library is as a plugin for other services,
  though imap and smtp examples are provided.
- Does not itself listen on external interfaces but extensively handles
  network-supplied data
- Does not have privileged portions of code
- No initscripts, dbus services, setuid programs, binaries, sudo fragments
- Good test suite
- No cronjobs
- Clean build logs
- No spawned subprocesses
- No file handling
- Exceptions may provide unescaped user-supplied data via web services or
  log files, probably the exceptions should escape the user-supplied data.
- No environment variables
- Only uses HMAC-SHA1 cryptography primitive, used appropriately
- Does not use webkit

I've requested CVEs for some of the results of my audit.

I noticed build_authenticate_header() doesn't escape realm, and
to_header() doesn't escape oauth_* keys, nor realm. This is completely
fine if the realms and oauth_* keys are hardcoded, is probably fine
if they are at the most configured in a configuration file, but if
an untrusted actor is in a position to configure the name of a realm,
arbitrary HTTP headers, and body content, can be injected into requests
or responses. A library should probably escape these inputs.

This library also makes it easy to use both HTTP (without TLS) and
PLAINTEXT signature methods. As Oauth2 requires HTTPS for safe use, it
would be ideal to forbid HTTP, and it is difficult to see the value of the
PLAINTEXT signature method.

Here's the conditions for promoting python-oauth2 to main:
- The CVEs I've requested need to be fixed
- Someone more familiar with the code needs to strongly consider patching
  out HTTP support
- Someone more familiar with the code needs to strongly consider patching
  out PLAINTEXT support
- Someone more familiar with the code needs to report if the unescaped
  network-supplied data in exceptions can cause XSS or CSRF problems.

As this package currently stands, security team NAK for including into main.

Thanks

Changed in python-oauth2 (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Michael Terry (mterry) wrote :

Well, python-oauthlib got sync'd to version 0.5.1. Can we have keystone use that?

Anders (eddiedog988)
Changed in python-oauth2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've asked Chuck to comment on the current state of this MIR. Specifically, whether python-oauthlib is now sufficient for keystone's needs.

Changed in python-oauth2 (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I see that python-keystone in 14.04 and newer depends on python-oauthlib, so I'm assuming that this MIR is no longer needed.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

From IRC, Chuck thinks that python-oauthlib is sufficient:

  14:52 < tyhicks> zul: so python-oauthlib is sufficient and we can mark the python-oauth2 MIR as "won't fix"?
  14:52 < zul> tyhicks: should be

Marking this MIR as "Won't Fix" since we no longer need python-oauth2 in main.

Changed in python-oauth2 (Ubuntu):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.