| |
@@ -45,7 +45,6 @@
|
| |
user = token.user
|
| |
username = user.fullname or user.username
|
| |
user_email = user.default_email
|
| |
- api_key = token.id
|
| |
days_left = (token.expiration - datetime.utcnow()).days
|
| |
subject = 'Pagure API key expiration date is near!'
|
| |
if token.project:
|
| |
@@ -57,7 +56,7 @@
|
| |
Thanks,
|
| |
Your Pagure Admin. ''' % (
|
| |
username,
|
| |
- api_key[:5],
|
| |
+ token.description,
|
| |
token.project.fullname,
|
| |
days_left
|
| |
)
|
| |
@@ -69,7 +68,7 @@
|
| |
Thanks,
|
| |
Your Pagure Admin. ''' % (
|
| |
username,
|
| |
- api_key[:5],
|
| |
+ token.description,
|
| |
days_left)
|
| |
if not check:
|
| |
msg = pagure.lib.notify.send_email(text, subject, user_email)
|
| |
It was discovered that Pagure was leaking API keys by e-mailing
them to users. Few e-mail servers validate TLS certificates, so
it is possible for man-in-the-middle attacks to read these e-mails
and gain access to Pagure on the behalf of other users. The
vulnerability was introduced in [0].
This problem was partially addressed in a prior commit[1], but
that commit still leaks the first 5 characters of the key which
weakens the secret.
This commit uses the description of the API key instead of any part
of the secret in the e-mail sent to users so that none of the key
is e-mailed over the Internet.
[0] 57975ef
[1] 9905fb1
fixes #4253
Signed-off-by: Randy Barlow randy@electronsweatshop.com