My favorites | Sign in
Project Home Wiki Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
  Advanced search   Search tips   Subscriptions
Issue 46: Security: Email activation links are insecure
4 people starred this issue and may be notified of changes. Back to list
Status:  Accepted
Owner:  andyster


 
Reported by s...@samj.net, Mar 15, 2009
The api.activation_required function trims the randomly generated UUID back
to an insecure 4 digits:

@admin_required
def activation_create(api_user, nick, type, content):
  activation_ref = Activation(
      actor=nick,
      content=content,
      code=util.generate_uuid()[:4],
      type=type,
      )
  activation_ref.put()
  return activation_ref

This means that the entire keyspace is 64k which is easily brute forceable.
Ideally the entire UUID would be used by dropping the [:4] above, but this
may create line wrapping problems in some email clients.

Apr 22, 2009
Project Member #1 andyster
sounds pretty reasonable, I'd still want to limit the length a bit, maybe 10ish digits
Status: Accepted
Owner: andyster
Labels: Security

Powered by Google Project Hosting