d18f42d CVE-2019-7628: Do not leak partial API keys.

1 file Authored by Randy Barlow 5 months ago , Committed by pingou 5 months ago ,
    CVE-2019-7628: Do not leak partial API keys.
    It was discovered that Pagure was leaking API keys by e-mailing
    them to users. Few e-mail servers validate TLS certificates, so
    it is possible for man-in-the-middle attacks to read these e-mails
    and gain access to Pagure on the behalf of other users. The
    vulnerability was introduced in [0].
    This problem was partially addressed in a prior commit[1], but
    that commit still leaks the first 5 characters of the key which
    weakens the secret.
    This commit uses the description of the API key instead of any part
    of the secret in the e-mail sent to users so that none of the key
    is e-mailed over the Internet.
    [0] 57975ef30641907947038b608017a9b721eb33fe
    [1] 9905fb1e64341822366b6ab1d414d2baa230af0a
    fixes #4253
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
file modified
+2 -3