[Hackage] #911: Package uploading is completely unsecured

Hackage cvs-ghc at haskell.org
Tue Feb 14 17:46:43 CET 2012

#911: Package uploading is completely unsecured
  Reporter:  bgamari           |        Owner:         
      Type:  defect            |       Status:  new    
  Priority:  normal            |    Milestone:         
 Component:  Hackage 2 server  |      Version:
  Severity:  major             |     Keywords:         
Difficulty:  unknown           |   Ghcversion:         
  Platform:                    |  
 Right now, anyone can register an account (without passing any kind of
 CAPTCHA or anything, so bots will overrun the place quickly on a live
 site) and upload new packages to their heart's content. This is a major
 risk for several reasons (package installation can do evil stuff with
 custom build types, easy to use up tons of disk space, etc.)

 Of course, nothing can truly solve the security issue, but I suggest the

  1. A simple but Hackage-specific CAPTCHA on the registration page (e.g.
 "What language are HackageDB packages written for?") — it's unlikely that
 spambots will target it specifically, and a simple but unique CAPTCHA will
 be stronger than a generic solution like reCAPTCHA which has a lot of
 effort going into breaking it (e.g. someone being paid to fill out
 CAPTCHAs isn't going to have any idea that the answer is "Haskell")
  2. Limit package uploading to members of a group which only admins can
 add to

 This should be a simple change to the code. The workflow for a package
 uploader would be:

  1. Register an account
  2. Email the maintainer asking for a package upload

 This is basically the same as the Hackage1 registration process, but a bit
 easier for the maintainer.

 <dcoutts> bgamari, cmccann, elliott: so the auth system in the new design
 copes ok with package
 uploaders, what it does not cover well is casual users who might want to
 post reviews, vote etc,
 but not upload packages
 <dcoutts> since you probably want self-registration for those users
 <dcoutts> but for uploaders it's sensible to have a human in the loop
 <bgamari> Certainly
 <dcoutts> like we do in the current system
 <dcoutts> so there's an admin user group who can edit other groups
 <dcoutts> ie grant permissions
 <dcoutts> elliott, cmccann: right, plus in the new system since there's a
 per-package uploader
 group then unknown users cannot subvert well known names (ie packages)
 <dcoutts> so in the new system malicious people can still upload *new*
 malicious packages
 <dcoutts> but cannot subvert e.g. base

 An ideal solution would be something like:

  1. Reasonable per-user quotas (liftable on request) for disk usage, to
 stop people spamming the system
  2. Users by default can upload packages, but they're in a quarantine: not
 visible on the site or installable
  3. Whenever a user uploads their first package, the maintainer gets an
 email and can check it out and approve the user (making their packages
 public) if it looks OK
 That would be nicer, but probably require a lot more coding than the
 simpler solution.

Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/911>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects

More information about the cabal-devel mailing list