benadida / helios-server Goto Github PK
View Code? Open in Web Editor NEWHelios server
Home Page: http://heliosvoting.org
License: Apache License 2.0
Helios server
Home Page: http://heliosvoting.org
License: Apache License 2.0
In production I have been receiving stack trace emails from IE users:
<ModPythonRequest
path:/helios/elections/<guid>/voters/ie.css,
'HTTP_USER_AGENT': 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)',
This should be hitting the static file instead of a django view I think. Django view results in:
AttributeError: 'NoneType' object has no attribute 'toJSONDict'
A nice idea on the platform can be implementing the Condorcet Method for the result of the election. In this case the platform will be very interesting for some communities that are using this kind of methods.
We should pull the mailto help email from settings.py so that it can be configured. I don't think everyone wants to rely on [email protected].
If you bulk upload two files at the same time each file gets their own aliases starting from v1. This results in two people having the same alias.
to prevent certain kinds of de-anonymization attacks.
for resending passwords, for example.
the first column looks like first name, instead of unique ID.
in CSV format
I tried to setup helios locally but I am not able to cast votes. Once I have voted I see:
"Congratulations, your vote has been successfully cast! "
But when I browse http://localhost:8000/helios/elections/fe56182c-dd34-11df-962b-00241d77a7d3/voters/list it says:
"no votes yet"
The background job seems to going through:
2010-10-21 20:44:04,652 INFO Got task from broker: helios.tasks.cast_vote_verify_and_store[06cd451d-a10f-4e72-8bc8-bbdf75cd4a23]
2010-10-21 20:44:04,718 INFO Task helios.tasks.cast_vote_verify_and_store[06cd451d-a10f-4e72-8bc8-bbdf75cd4a23] processed: None
The commit in use is 383f010
====================================================================== FAIL: test_create_election (helios.tests.ElectionModelTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/mnt/checkouts/helios-server/helios/tests.py", line 45, in test_create_election self.assertTrue(self.election.created_at < datetime.datetime.utcnow()) AssertionError
I am unable to log into Helios using Twitter.
I tried to log in on https://vote.heliosvoting.org/. I created a new account on Twitter and selected to log in with Twitter. I get to a screen where I am asked to authorized the Helios app. After I click "Authorize app", I briefly see a screen saying "Redirecting you back to...", then my browser is redirected to the following page:
Address of the page:
https://vote.heliosvoting.org/auth/after/?oauth_token=[REDACTED]&oauth_verifier=[REDACTED]
Contents of the page:
There was an error while handling your request.
I haven't tried it on another browser or another machine, so I don't know if the problem is on my end or on the Helios server.
I'm following Helios install instructions from http://documentation.heliosvoting.org/install,
and when getting the source from the git repo, I've got the following error after "git checkout origin/pure-django".
What is the issue? How should I proceed?
Thank you very much,
Erick Nogueira do Nascimento
[root@Fedora helios]$ git clone git://github.com/benadida/helios-server.git
Cloning into helios-server...
remote: Counting objects: 1917, done.
remote: Compressing objects: 100% (840/840), done.
remote: Total 1917 (delta 1170), reused 1758 (delta 1056)
Receiving objects: 100% (1917/1917), 639.20 KiB, done.
Resolving deltas: 100% (1170/1170), done.
[root@Fedora helios]$ cd helios-server
[root@Fedora helios-server]$ git checkout origin/pure-django
error: Updating the following directories would lose untracked files in it:
helios
Aborting
[root@Fedora helios-server]$ git --version git version 1.7.3.4
If I force the checkout I receive this:
[root@Fedora helios-server]$ git checkout -f origin/pure-django
Note: checking out 'origin/pure-django'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b new_branch_name
HEAD is now at d9523b5... Alias generation
even when election is aliased.
I find the whole amqp/celery/kombu thing pretty confusing, as a newcomer to the Helios project, and I found the helios-server documentation kinda laconic and lacking as a result.
The official celery instructions mention a daemon running in the background. But the helios-server documentation fails to mention any of that.
In addition, I get this error:
https://gist.github.com/skaag/5810728
I get this error only while trying to actually cast my ballot. Before I get to that step, everything seems to be working fine. I create a public election, add questions, it's all good until helios tries to update celery (That's when the error above occurs).
This is running under Ubuntu 12.04 Precise x64, with Django 1.4.5, Python 2.7.3, all under virtualenv.
Any ideas how to fix this?
discover a vulnerability which allows an adversary to compromise voters' privacy. This vulnerability has been successfully exploited to break privacy in a small election using the current Helios implementation. Moreover, the feasibility of an attack is considered in the context of French legislative elections and, based upon our findings, we believe it constitutes a threat to ballot secrecy in real-world elections. Finally, a fix is proposed.
http://www.di.ens.fr/CryptoSeminaire.html#Attacking_ballot_secrecy_in_Heli
When the election has been started is still possible to replace voters. This is a good behaviour, since allows to change an invalid/not working email address. This is, however, also an issue when using anonymous elections: if the administrator of the election is bribed, he can remove some voters and replace with email addresses where he has access and then insert bogus votes, potentially changing the result of the election.
It seems the url is saved to the database as cast_url. It could as well be calculated dynamically on demand.
trustee can't log in. should prevent trustee with same email address from being created. Unique index?
If i configure the election to "Anyone can vote" then, once freezed the election on the "Voters & Ballot Tracking Center" i get this:
Who can vote?
any g user
any o user
any o user
any g user
any l user
any e user
This, in fact match what's on the database:
helios=# select eligibility from helios_election; eligibility -------------------------------------------------------------------------------------------------------------------------- [{"auth_system": "g"}, {"auth_system": "o"}, {"auth_system": "o"}, {"auth_system": "g"}, {"auth_system": "l"}, {"auth_system": "e"}] (1 row)
Why this happens? For what reason the login system "google" is treated as a sequence of chars?
by using Olivier and Damien's trick of representing objects as arrays, we can get to a strict JSON representation of any object for canonicalization purposes, and thus for hashing. This is better than my previous idea that we should use an arbitrary JSON serialization as the canonical representation, as there are too many cases where we need two sides to re-canonicalize.
on private elections, the note saying "you don't need to log in until you have voted" is wrong. should be removed.
In organising my first vote with Helios, I was hugely reassured by the explanations and previews available. However, I would very much like to see what the email sent to voters looks like.
This would allow administrators to better describe the voting procedure to members before the voting is opened. Perhaps a link on the /view section would suffice?
p.s. I was really impressed by the ease of use of such a secure system!
otherwise it's a 403.
this is too confusing otherwise.
Specifically, some folks are confused by the multi-step process of voting with the smart ballot tracker and the audit link. If voters are going to be confused and if no one is doing the auditing, then the extra complexity is not useful. So this should become optional.
In Firefox 5 on Windows 7, ballots created in the ballot box have an empty array for randomness.
To reproduce:
in the trustees page.
I haven't checked against the latest version of helios here on github, but your sample page on heliosvoting.org works.
Affected page: https://vote.heliosvoting.org/booth/vote.html
The election_url parameter is not validated and can be used to insert javascript from another domain. It is inserted into both
The following javascript code is executed in the client
// election URL
var election_url = $.query.get('election_url');
// ...
BOOTH.load_and_setup_election = function(election_url) {
// the hash will be computed within the setup function call now
$.get(election_url, function(raw_json) {
BOOTH.setup_election(raw_json);
BOOTH.show_election();
BOOTH.election_url = election_url;
});
if (USE_SJCL) {
// get more randomness from server
$.getJSON(election_url + "/get-randomness", {}, function(result) {
sjcl.random.addEntropy(result.randomness);
});
}
};
$.getJSON will automatically use JSONP if it detects "callback=?" inside the request url. This can be abused:
Example using JSONP
https://vote.heliosvoting.org/booth/vote.html?election_url=http%3A%2F%2Fjoakim.uddholm.com%2Fhelios%2Felections%2Fcallback.php%3Fjsoncallback%3D%3F%26
Works in Firefox. Does not work in Chrome
After filling in all the fields on the create election form and submit it, I've got the HTTP 500 error below.
Thank you,
Erick Nogueira do Nascimento
Campinas State University
IntegrityError at /helios/elections/new
null value in column "short_name" violates not-null constraint
Request Method: POST
Request URL: http://127.0.0.1:8000/helios/elections/new
Django Version: 1.2.5
Exception Type: IntegrityError
Exception Value:
null value in column "short_name" violates not-null constraint
Exception Location: /usr/lib/python2.6/site-packages/django/db/models/query.py in get_or_create, line 391
Python Executable: /usr/bin/python
Python Version: 2.6.4
Python Path: ['/home/helios/helios/helios-server', '/usr/lib/python2.6/site-packages/celery-2.2.4-py2.6.egg', '/usr/lib/python2.6/site-packages/pyparsing-1.5.5-py2.6.egg', '/usr/lib/python2.6/site-packages/kombu-1.0.3-py2.6.egg', '/usr/lib/python2.6/site-packages/anyjson-0.3-py2.6.egg', '/usr/lib/python2.6/site-packages/python_dateutil-1.5-py2.6.egg', '/usr/lib/python2.6/site-packages/importlib-1.0.2-py2.6.egg', '/usr/lib/python2.6/site-packages/amqplib-0.6.1-py2.6.egg', '/usr/lib/python2.6/site-packages/django_celery-2.2.4-py2.6.egg', '/usr/lib/python2.6/site-packages/django_picklefield-0.1.9-py2.6.egg', '/usr/lib64/python26.zip', '/usr/lib64/python2.6', '/usr/lib64/python2.6/plat-linux2', '/usr/lib64/python2.6/lib-tk', '/usr/lib64/python2.6/lib-old', '/usr/lib64/python2.6/lib-dynload', '/usr/lib64/python2.6/site-packages', '/usr/lib64/python2.6/site-packages/gtk-2.0', '/usr/lib/python2.6/site-packages', '/usr/lib/python2.6/site-packages/setuptools-0.6c11-py2.6.egg-info']
Server time: Fri, 25 Feb 2011 09:10:01 -0800
Environment:
Request Method: POST
Request URL: http://127.0.0.1:8000/helios/elections/new
Django Version: 1.2.5
Python Version: 2.6.4
Installed Applications:
['django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.sites', 'djcelery', 'auth', 'helios', 'server_ui'] Installed Middleware:
('django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware')
Traceback:
File "/usr/lib/python2.6/site-packages/django/core/handlers/base.py" in get_response
100. response = callback(request, callback_args, **callback_kwargs) File "/home/helios/helios/helios-server/auth/security/init.py" in login_required_wrapper
75. return func(request, args, kw) File "/home/helios/helios/helios-server/helios/views.py" in election_new
142. election, created_p = Election.get_or_create(election_params) File "/home/helios/helios/helios-server/helios/models.py" in get_or_create
118. return cls.objects.get_or_create(short_name = kwargs['short_name'], defaults=kwargs) File "/usr/lib/python2.6/site-packages/django/db/models/manager.py" in get_or_create
135. return self.get_query_set().get_or_create(**kwargs) File "/usr/lib/python2.6/site-packages/django/db/models/query.py" in get_or_create
391. raise e
Exception Type: IntegrityError at /helios/elections/new
Exception Value: null value in column "short_name" violates not-null constraint
If a trustee is not also a voter in a private election (or happens to not be logged in as a voter), they will be unable to submit decryption results [getting a 302 when attempting to POST to https://www.foo.tld/voting/helios/elections/UUID/trustees/UUID/upload-decryption to a page that would ask them to authenticate to view the election]. Worse yet, this fails silently and appears to claim that uploading the partial decryption was successful rather than displaying an error; since the POST is done as an AJAX call, nobody sees the login page.
This makes Helios provably secure and defends against some particularly advanced attacks.
b64 encoding, probably.
Allow for multiple adminastrators able to add voters, issue questions, etc.
Eventually make them trustees by default?
need to fix the questions NaN thing.
I can't really understand how to start celery to do background jobs.
Looks like celery.py is missing and when I start celery with
celery worker --app helios-server -l info
it just says
ImportError: No module named celery
please can you explain how to start background processes?
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.