Issue #48 new

uses insecure and unmaintained python-oauth2

Brian May
created an issue

Comments (3)

  1. Michał Jaworski

    I know about fact that python-oauth2 is not maintained anymore and has issues but I don't know about any that really affect security of django-oauth-plus. We have to consider if django-oauth-plus is still worth switching to oauthlib. I have to discuss this with David Larlet because he is the author of this package.

    I have used oauthlib on other project (not django related: https://github.com/swistakm/talons-oauth). It's so great and so easy to use that I think that there is no need to put anything between it and django. Of course I can be wrong.

    Still I want to address your security concerns:

    • nonce checking/validation (https://bugs.debian.org/722656) is handled explicitly by python-oauth-plus and we do not rely on python-oauth2. This is due to fact that this lib provides you a storage model for nonces and knows how to handle them.
    • poor random generation on nonces (https://bugs.debian.org/722657) affects only OAuth consumers using python-oauth2 because this is in their responsibility to generate them. Keep in mind that nonce collision means only that request won't validate in specified time window. Clients are not limited to use of python-oauth2 and I would recommend to use oauthlib in client-side code.

    If you read the sources you will find that python-oauth2 is used almost only for generating reference signatures and as a source of some python Exceptions. AFAIK this parts of it's code works quite well and has no security issues. Of course it isn't great and has known limitations but we know about them.

    Do you know about any other security issues in python-oauth2 that could affect django-oauth-plus? These already mentioned by you do not affect python-oauth-plus security.

  2. Brian May reporter

    Unfortunately, it doesn't matter that django-oauth-plus doesn't have security concerns, what matters is that it depends on python-oauth2, and python-oauth2 has security issues. This means python-oauth2 cannot be released in future releases of Debian, which in turn means that anything that depends on python-oauth2, such as django-oauth-plus also will get removed. Furthermore, anything that depends on django-oauth-plus will also get removed, too.

  3. Log in to comment