描述
I discovered a potential security flaw in this package, and reported it to the Jazzband security mailing address as directed to on this page over a year ago.
My initial email was acknowledged, I was told that my email was forwarded onto the project lead, and then all further contact ceased despite my repeated attempts.
I have also email Bouke directly, who was responsive, but they have stepped away from maintaining this project and cannot help me any further.
I have tried to follow the published guidelines for reporting security flaws and I have gotten nowhere after giving a very diplomatic amount of time to respond. But almost one year of non-contact far exceeds any reasonable responsible disclosure policy.
I am opening this public issue to both warn existing and potential users of a potential flaw, and to seek further guidance on who/how/where to report this.
Unless persuaded otherwise, after one week from today at most, I will publish a fix and tests for the security flaw in the form of a PR, and within 24 hours after that, being a Jazzband member myself, I will merge it into the main branch of this repository. I will then attempt to publish a release to PyPI, with my existing user credentials and permissions (not sure if this will be successful, but I feel it is the responsible thing to do).
I am more than happy to continue this discussion privately with other existing maintainers in an attempt to provide my flaw and fix, and brainstorm instructions for existing django-user-sessions users. But I will not be publicly answering any questions regarding the nature of the flaw.