------------------------------------------------------------
revno: 1196
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Thu 2009-09-03 11:12:06 -0700
message:
Inadvertently setting a null site or list password allowed access
to a list's web admin interface without authentication. Fixed by
not accepting null passwords.
modified:
Mailman/SecurityManager.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription.
=== modified file 'Mailman/SecurityManager.py'
--- Mailman/SecurityManager.py 2008-11-29 23:46:03 +0000
+++ Mailman/SecurityManager.py 2009-09-03 18:12:06 +0000
@@ -137,6 +137,9 @@
#
# Return the authcontext from the argument sequence that matches the
# response, or UnAuthorized.
+ if not response:
+ # Don't authenticate null passwords
+ return mm_cfg.UnAuthorized
for ac in authcontexts:
if ac == mm_cfg.AuthCreator:
ok = Utils.check_global_password(response, siteadmin=0)
=== modified file 'NEWS'
--- NEWS 2009-09-03 17:29:36 +0000
+++ NEWS 2009-09-03 18:12:06 +0000
@@ -8,6 +8,10 @@
Bug Fixes and other patches
+ - Inadvertently setting a null site or list password allowed access
+ to a list's web admin interface without authentication. Fixed by
+ not accepting null passwords.
+
- Changed VERP_CONFIRM_REGEXP in Defaults.py to work if the replying
MUA folds the To: header and in cases where the list name includes '+'.
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
