Fix security bug regarding long lived threads #179

redshiftzero · 2018-11-15T22:17:37Z

Fixes #178

redshiftzero · 2018-11-15T22:28:36Z

So the way to test this is to follow the steps in #178 (adding a log line prior to the time.sleep in each thread). Then when you log out you should see:

2018-11-15 13:59:17,166 - root:146(run) INFO: still here with self.api: <sdclientapi.API object at 0x11136b390>
2018-11-15 13:59:17,238 - root:100(run) INFO: still here with self.api: <sdclientapi.API object at 0x11136b390>
[ --- user clicks log out here --- ]
2018-11-15 13:59:22,171 - root:146(run) INFO: still here with self.api: None
2018-11-15 13:59:22,239 - root:100(run) INFO: still here with self.api: None
2018-11-15 13:59:27,175 - root:146(run) INFO: still here with self.api: None

emkll

Went though the test plan in qubes and works as expected, thanks @redshiftzero . Invalidating tokens server-side is tracked as part of freedomofpress/securedrop#3933

redshiftzero added 2 commits November 15, 2018 14:06

reply, message long lived threads get logged out

f239a05

Add tests for message, reply logout behavior

5964ed4

emkll approved these changes Nov 15, 2018

View reviewed changes

redshiftzero merged commit 88ff31c into master Nov 15, 2018

redshiftzero deleted the fix-security-bug-long-lived-threads branch November 15, 2018 22:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix security bug regarding long lived threads #179

Fix security bug regarding long lived threads #179

redshiftzero commented Nov 15, 2018

redshiftzero commented Nov 15, 2018

emkll left a comment

Fix security bug regarding long lived threads #179

Fix security bug regarding long lived threads #179

Conversation

redshiftzero commented Nov 15, 2018

redshiftzero commented Nov 15, 2018

emkll left a comment

Choose a reason for hiding this comment