From d18f42d021dd69161b46af71e6b89e71610494b0 Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Feb 11 2019 15:34:25 +0000 Subject: CVE-2019-7628: Do not leak partial API keys. It was discovered that Pagure was leaking API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is possible for man-in-the-middle attacks to read these e-mails and gain access to Pagure on the behalf of other users. The vulnerability was introduced in [0]. This problem was partially addressed in a prior commit[1], but that commit still leaks the first 5 characters of the key which weakens the secret. This commit uses the description of the API key instead of any part of the secret in the e-mail sent to users so that none of the key is e-mailed over the Internet. [0] 57975ef30641907947038b608017a9b721eb33fe [1] 9905fb1e64341822366b6ab1d414d2baa230af0a fixes #4253 Signed-off-by: Randy Barlow --- diff --git a/files/api_key_expire_mail.py b/files/api_key_expire_mail.py index d4b0408..645c845 100755 --- a/files/api_key_expire_mail.py +++ b/files/api_key_expire_mail.py @@ -45,7 +45,6 @@ def main(check=False, debug=False): user = token.user username = user.fullname or user.username user_email = user.default_email - api_key = token.id days_left = (token.expiration - datetime.utcnow()).days subject = 'Pagure API key expiration date is near!' if token.project: @@ -57,7 +56,7 @@ Please get a new key for non-interrupted service. Thanks, Your Pagure Admin. ''' % ( username, - api_key[:5], + token.description, token.project.fullname, days_left ) @@ -69,7 +68,7 @@ Please get a new key for non-interrupted service. Thanks, Your Pagure Admin. ''' % ( username, - api_key[:5], + token.description, days_left) if not check: msg = pagure.lib.notify.send_email(text, subject, user_email)