Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate a new SECRET_KEY during first time setup #4213

Closed
aronasorman opened this issue Aug 6, 2015 · 0 comments
Closed

Generate a new SECRET_KEY during first time setup #4213

aronasorman opened this issue Aug 6, 2015 · 0 comments
Assignees
@aronasorman
Labels
bug security
Milestone
0.14.x bugfixes

Comments

@aronasorman
Copy link
Collaborator

Branch: all the branches

Expected behaviour: Arbitrary user doesn't know what their installation's secret key is.

Actual behaviour: Our secret key is not just shared across all installations, it's public as well! This means that any of the methods described in this stack overflow answer is vulnerable to attack.

So we should generate a key that will always be read by KA Lite, even if a different settings object is specified.
@aronasorman aronasorman self-assigned this Aug 6, 2015
@aronasorman aronasorman added this to the 0.14.x bugfixes milestone Aug 6, 2015
@aronasorman aronasorman mentioned this issue Aug 6, 2015
Closed
aronasorman added a commit to aronasorman/ka-lite that referenced this issue Sep 24, 2015
@aronasorman
Generate a secret key file, and load SECRET_KEY from said file.
2962ec8 
Fixes learningequality#4213.
@aronasorman aronasorman mentioned this issue Sep 24, 2015
Merged
aronasorman added a commit to aronasorman/ka-lite that referenced this issue Sep 25, 2015
@aronasorman
Generate a secret key file, and load SECRET_KEY from said file.
084f69e 
Fixes learningequality#4213.
aronasorman added a commit to aronasorman/ka-lite that referenced this issue Sep 25, 2015
@aronasorman
Generate a secret key file, and load SECRET_KEY from said file.
b608baa 
Fixes learningequality#4213.
aronasorman added a commit to aronasorman/ka-lite that referenced this issue Sep 25, 2015
@aronasorman
Generate a secret key file, and load SECRET_KEY from said file.
198995e 
Fixes learningequality#4213.
aronasorman added a commit to aronasorman/ka-lite that referenced this issue Sep 25, 2015
@aronasorman
Generate a secret key file, and load SECRET_KEY from said file.
7c0aaef 
Fixes learningequality#4213.
aronasorman added a commit to aronasorman/ka-lite that referenced this issue Sep 25, 2015
@aronasorman
Generate a secret key file, and load SECRET_KEY from said file.
c1b4045 
Fixes learningequality#4213.
aronasorman added a commit to aronasorman/ka-lite that referenced this issue Sep 28, 2015
@aronasorman
Generate a secret key file, and load SECRET_KEY from said file.
c8bbfbf 
Fixes learningequality#4213.

Conflicts:
	kalite/settings/base.py
@aronasorman aronasorman mentioned this issue Sep 28, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aronasorman aronasorman

Labels
bug security
Projects
None yet
Milestone
0.14.x bugfixes
Development

No branches or pull requests
1 participant
@aronasorman