Critical security update for tg2 users!

[Mark Ramm]

We recently discovered that TurboGears2 ships with quickstart configuration that leaves users of it's default user authorization/authentication scheme vulnerable to a serious security issue. 

If you are running a TG2 application in production you are strongly encouraged to set the cookie salt for the authorization cookie in repoze.who to something other than it's default value. 

This is simple enough to do, just set base_config.sa_auth.cookie_secret to any secret value you'd like.   For example: 

base_config.sa_auth.cookie_secret = "mynewsecret" 

You can also set it in development.ini using a key like:

sa_auth.cookie_secret = "mysupersecret" 

Failure to do this could leave you vulnerable to someone who knows the default cookie secret being able to craft a cookie that allows a user into your site without authenticating through the normal mechanism. 

TurboGears 2.0.2 will enforce setting the cookie secret and will refuse to run if you have not set that value in your configuration.   We've just released 2.0.2, which also fixes another security issue which could cause controller methods decorated with something other than @expose to still be exposed through the URL dispatch mechanism.

You can update to 2.0.2 with 

easy_install -Ui http://turbogears.org/2.0/downloads/current/ turbogears2

--
Mark Ramm-Christensen
email: mark at compoundthinking dot com
blog: www.compoundthinking.com/blog