SECURITY: Flaw in django-user-sessions

[blag]

I discovered a potential security flaw in this package, and reported it to the Jazzband security mailing address as directed to on this page over a year ago.

My initial email was acknowledged, I was told that my email was forwarded onto the project lead, and then all further contact ceased despite my repeated attempts.

I have also email Bouke directly, who was responsive, but they have stepped away from maintaining this project and cannot help me any further.

I have tried to follow the published guidelines for reporting security flaws and I have gotten nowhere after giving a very diplomatic amount of time to respond. But almost one year of non-contact far exceeds any reasonable responsible disclosure policy.

I am opening this public issue to both warn existing and potential users of a potential flaw, and to seek further guidance on who/how/where to report this.

Unless persuaded otherwise, after one week from today at most, I will publish a fix and tests for the security flaw in the form of a PR, and within 24 hours after that, being a Jazzband member myself, I will merge it into the main branch of this repository. I will then attempt to publish a release to PyPI, with my existing user credentials and permissions (not sure if this will be successful, but I feel it is the responsible thing to do).

I am more than happy to continue this discussion privately with other existing maintainers in an attempt to provide my flaw and fix, and brainstorm instructions for existing django-user-sessions users. But I will not be publicly answering any questions regarding the nature of the flaw.

[WhyNotHugo]

Sorry, I was travelling at the time and completely forgot about this.

I'll reply to your email privately. Reply sent.