On Tuesday, January 7, 2003, at 12:15 AM, Barry A. Warsaw wrote:
BTW, for the hacker inclined, an possibly useful way to debug this isI finally had time in the past half hour to dedicate to debugging this using syslog() thrown in at various places in SecurityManager.py.
to edit SecurityManager.py, the __checkone() method. Stick something
like this before the first try: line (untested):
syslog('debug', 'key: %s, c[key]: %s, val: %s', key, c[key], c[key].value)
then tail logs/debug until you see the problem. Maybe something
interesting will show up.
The result of that is... we don't even get to __checkone(). If there are *any* mm2.0 cookies in the URI-space mm2.1 looks in, the following code will always raise a Cookie.CookieException and return 0.
# Treat the cookie data as simple strings, and do application level
# decoding as necessary. By using SimpleCookie, we prevent any kind
# of security breach due to untrusted cookie data being unpickled
# (which is quite unsafe).
try:
c = Cookie.SimpleCookie(cookiedata)
except Cookie.CookieError:
return 0
If python's Cookie code (or at least SimpleCookie) doesn't like cookies with :'s in them that'd explain it.
This is rather a problem for anyone thinking they could run both mm2.0 and mm2.1 mapped into the same URI-space. Simply put, you can't (without re-auth'ing with every action in 2.1 lists), unless the mm2.1 code is rewritten to handle that exception better. Or unless you nuke all your cookies after every use of a 2.0 list (not just logout - in my testing that doesn't actually remove the cookie, just the cookie's contents).
The good news is that this should be no problem once everything is moved to 2.1.
Bryan
------------------------------------------------------
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
