Closed asieira closed 8 years ago
Eh, I'm 50/50 on this. I agree the default user-agent isn't ideal. I don't agree that this is a large problem. I'd like to hear @Lukasa's opinion on this but he's away on vacation (as I should be).
Agreed that this is not a critical issue, but it is a security problem nonetheless.
Thank you very much for the awesome project, enjoy your vacation and let me know if there's anything I can do to help. :)
So, I've ruminated a bit on this now that I've had a chance and I'm not quite convinced it's a security problem.
In short, I think we need a much better threat model here before we change the existing behaviour. I'm fine documenting that for some use-cases the default user-agent is perhaps not ideal, and they can reference the existing documentation that shows how to set a UA.
My responses:
At the end of the day, even if you think the security gain is marginal, I guess we can all agree that it is not zero. Also, AFAIK changing this default breaks no requests functionality whatsoever (correct me if I'm wrong here). So, I would still maintain this is worth doing.
That is just my opinion, of course. More than happy to speak on a Skype or Google Hangouts call since complex subjects such as these might be easier to discuss that way.
My general position on this is that removing the kernel version is a good idea and we should do it. Other UA strings do not include it, and it's unlikely to be of much use in any role other than attacking a Linux kernel directly, so I'd be happy to strip it.
I'm +0 on removing the Python version, though we need to confirm with @dstufft that pip's not relying on our use of it. I don't believe it's a serious attack vector, but neither is it information that it's vital to be sending in the UA string.
IMO the biggest security risk in there is actually the requests version, and that's the one thing it's hard to justify removing. ;)
pip doesn't use the default user-agent at all, feel free to change it to whatever you want.
For the record I agree completely with @Lukasa, his proposal matches perfectly my original suggestion of using python-requests/<version> (http://http://www.python-requests.org/)
as the default UA.
@asieira that is not @Lukasa's proposal. Please don't misrepresent people's comments.
If I understand @Lukasa 's comments correctly, he agrees that a) removing the kernel version is a good idea, and that b) the Python version is not a vital information to include in the UA, so it could be removed provided this doesn't break pip (which was subsequently confirmed by @dstufft).
So that would leave us with a default UA with no kernel or Python version, and only contains the requests version. Which is precisely what I had originally proposed.
I'm sorry if I misunderstood any of that. I don't want to start a flame war here or anything, but now I'm genuinely curious as to what part of @Lukasa 's comment you believe I misinterpreted or misrepresented.
The thing you're disagreeing about is whether a URL would be contained in the User-Agent: I did not propose that, you did. =)
I'm -1 on the URL, but +1 on everything else.
Damnit @Lukasa you always post a comment ~30s before I can.
@asieira I didn't mean to put you on the offensive. I simply didn't want someone coming along and implementing the wrong thing based on your comment. Clarity and correctness is important.
Frankly, I'm -0 on removing this information but I wouldn't block a PR removing it.
@Lukasa and @sigmavirus24 thank you for clarifying that. The important part for me is removing the sensitive information. Not at all married to the specific format or having the requests URL there at all, sorry I didn't make that clearer before. You are absolutely right that clarity and correctness are important.
Do we all agree with requests/<version>
as the UA string, then?
I can submit a PR for this, if you wish, as soon as we agree on the exact format.
That suits me =)
Resolved. =)
I've noticed that requests adds a user-agent header by default that looks like the following:
python-requests/2.7.0 CPython/2.7.9 Linux/3.14.44-32.39.amzn1.x86_64
.Including the CPython and OS kernel version are an unnecessary information leakage that could have security implications, as per the OWASP documentation.
I would like to suggest the default is changed to follow the 'bot' convention described here with the requests version and a link to the requests documentation:
python-requests/<version> (http://http://www.python-requests.org/)
.