Uploaded image for project: 'openATTIC'
  1. openATTIC
  2. OP-2873

Fix world-readable Django secret

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.5.2
    • Fix Version/s: 3.6.1
    • Component/s: Backend
    • Labels:
    • External issue ID:
      bsc#1064628

      Description

      From SES5 release/media security audit:

      The per-installation Django secret key is stored in a world-readable file.
      In this case: /usr/share/openattic/.secret.txt, root:root 644.

      This is needlessly open. For Django this should be protected at all times. Among other things this affects cookie security.

      The secret is generated automatically in openAttic code:
      https://github.com/openattic/openattic/blob/master/backend/settings.py#L176-L195

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                swagner Sebastian Wagner
                Reporter:
                vtheile Theile, Volker
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: