Description
When using http authentication, the user's password is stored in an unsalted hash in the user's data file.
I am running MoinMoin from twisted behind an Apache server acting as a proxy. Apache performs the actual authentication--the wiki should not need to store the user's password at all.
A related problem is that when the user's password changes, the password passed through to MoinMoin in the HTTP Authorization header changes and MoinMoin forgets all the user's settings.
Steps to reproduce
configure auth = [http]
- log in using http authentication
the user's password appears in data/users/$(user_id)/ as the value of the enc_password key
Details
MoinMoin Version |
1.5.5a |
OS and Version |
Debian GNU/Linux 3.0 ("sarge") |
Python Version |
2.3.5 |
Server Setup |
Using twistd behind an Apache proxy |
Server Details |
|
Workaround
try1.patch adds a new configuration option, user_save_password that prevents the password being saved to the user's data file. The default value for this option is True, for backwards compatibility. IMO, it should be False so that we are secure by default. The option is somewhat badly named, since it only affects http authentication (and even then, only with Twisted). Perhaps it should be called auth_http_save_password.
Discussion
Pretty similar to ../LdapPasswordHashStoredInFilesystem.
Plan
- Priority:
- Assigned to:
- Status: fixed in 1.6