Mercurial > p > roundup > code
view website/issues/initial_data.py @ 6375:c4371ec7d1c0
Call verifyPassword even if user does not exist.
Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 06 Apr 2021 22:51:55 -0400 |
| parents | c2d0d3e9099d |
| children |
line wrap: on
line source
from roundup.password import Password # # TRACKER INITIAL PRIORITY AND STATUS VALUES # issue_type = db.getclass('issue_type') issue_type.create(name='crash', order='1') issue_type.create(name='compile error', order='2') issue_type.create(name='resource usage', order='3') issue_type.create(name='security', order='4') issue_type.create(name='behavior', order='5') issue_type.create(name='rfe', order='6') component = db.getclass('component') #component.create(name="any", order="1") #component.create(name="3rd party modifications", order="2") #component.create(name="command-line interface", order="3") #component.create(name="database", order="4") #component.create(name="documentation", order="5") #component.create(name="installation", order="6") #component.create(name="mail interface", order="7") #component.create(name="web interface", order="8") version = db.getclass('version') version.create(name='devel', order='1') version.create(name='1.0', order='2') version.create(name='1.1', order='3') version.create(name='1.2', order='4') version.create(name='1.3', order='5') version.create(name='1.4', order='6') severity = db.getclass('severity') severity.create(name='critical', order='1') severity.create(name='urgent', order='2') severity.create(name='major', order='3') severity.create(name='normal', order='4') severity.create(name='minor', order='5') priority = db.getclass('priority') priority.create(name='immediate', order='1') priority.create(name='urgent', order='2') priority.create(name='high', order='3') priority.create(name='normal', order='4') priority.create(name='low', order='5') status = db.getclass('status') status.create(name = "new", order = "1") status.create(name='open', order='2') status.create(name='closed', order='3') status.create(name='pending', description='user feedback required', order='4') resolution = db.getclass('resolution') resolution.create(name='accepted', order='1') resolution.create(name='duplicate', order='2') resolution.create(name='fixed', order='3') resolution.create(name='invalid', order='4') resolution.create(name='later', order='5') resolution.create(name='out of date', order='6') resolution.create(name='postponed', order='7') resolution.create(name='rejected', order='8') resolution.create(name='remind', order='9') resolution.create(name='wont fix', order='10') resolution.create(name='works for me', order='11') keyword = db.getclass("keyword") keyword.create(name="patch", description="Contains patch") # # create the two default users user = db.getclass('user') user.create(username="admin", password=adminpw, address=admin_email, roles='Admin') user.create(username="anonymous", roles='Anonymous')