[Python-modules-team] Bug#686104: python-django-registration: Not compatible with, Django 1.4.

[Raphael Hertzog]

On Fri, 31 Aug 2012, Winfried Tilanus wrote:
> On 08/31/2012 08:41 AM, Raphael Hertzog wrote:
> 
> > What openly available data are you referring to?
> 
> The hash calculated in django-registration is send out to people
> registering a new account, as part of the url to click on when
> confirming the registration of a new account. It is used as identifier
> in the communication. So if you are able to calculate a collision in it,
> you might do things like:
> - register an account on a non-existing e-mail address
> - register an account on the e-mail address of somebody else
> - confirm a registration request of somebody else

To be able to "calculate a collision", you need to discover one of the
activation keys that has been sent out. They are not public, they are sent
by private mail. So you need either a MITM attack vector or you have
already compromised the user's email.

And then to generate the collision, AFAIK you need to know the fixed part
of the input to the hash function and you need to be able to control the
rest. Here this is not the case, you control the username part but
you don't control the random part that django-registration injects:

        salt = sha.new(str(random.random())).hexdigest()[:5]
        activation_key = sha.new(salt+user.username).hexdigest()
        return self.create(user=user,
                           activation_key=activation_key)

Thus I don't see any security issue here.

There are probably plenty of reasons to have django-registration 0.8 in wheezy,
but TTBOMK this is not one of them.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/