------------------------------------------------------------
revno: 1303
committer: Mark Sapiro <msap...@value.net>
branch nick: 2.1
timestamp: Mon 2011-05-09 18:34:07 -0700
message:
Prevented setting user passwords with leading/trailing whitespace. Bug
#778088.
modified:
Mailman/Cgi/options.py
Mailman/Cgi/roster.py
Mailman/Cgi/subscribe.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py 2010-07-27 17:14:17 +0000
+++ Mailman/Cgi/options.py 2011-05-10 01:34:07 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -434,8 +434,8 @@
options_page(mlist, doc, user, cpuser, userlang)
print doc.Format()
return
- newpw = cgidata.getvalue('newpw')
- confirmpw = cgidata.getvalue('confpw')
+ newpw = cgidata.getvalue('newpw', '').strip()
+ confirmpw = cgidata.getvalue('confpw', '').strip()
if not newpw or not confirmpw:
options_page(mlist, doc, user, cpuser, userlang,
_('Passwords may not be blank'))
=== modified file 'Mailman/Cgi/roster.py'
--- Mailman/Cgi/roster.py 2010-03-29 20:48:11 +0000
+++ Mailman/Cgi/roster.py 2011-05-10 01:34:07 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -73,8 +73,8 @@
# "admin"-only, then we try to cookie authenticate the user, and failing
# that, we check roster-email and roster-pw fields for a valid password.
# (also allowed: the list moderator, the list admin, and the site admin).
- password = cgidata.getvalue('roster-pw', '')
- addr = cgidata.getvalue('roster-email', '')
+ password = cgidata.getvalue('roster-pw', '').strip()
+ addr = cgidata.getvalue('roster-email', '').strip()
list_hidden = (not mlist.WebAuthenticate((mm_cfg.AuthUser,),
password, addr)
and mlist.WebAuthenticate((mm_cfg.AuthListModerator,
=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py 2011-03-30 03:33:24 +0000
+++ Mailman/Cgi/subscribe.py 2011-05-10 01:34:07 +0000
@@ -125,12 +125,12 @@
syslog('mischief', 'Attempt to self subscribe %s: %s', email, remote)
results.append(_('You may not subscribe a list to itself!'))
# If the user did not supply a password, generate one for him
- password = cgidata.getvalue('pw')
- confirmed = cgidata.getvalue('pw-conf')
+ password = cgidata.getvalue('pw', '').strip()
+ confirmed = cgidata.getvalue('pw-conf', '').strip()
- if password is None and confirmed is None:
+ if not password and not confirmed:
password = Utils.MakeRandomPassword()
- elif password is None or confirmed is None:
+ elif not password or not confirmed:
results.append(_('If you supply a password, you must confirm it.'))
elif password <> confirmed:
results.append(_('Your passwords did not match.'))
=== modified file 'NEWS'
--- NEWS 2011-05-01 16:21:29 +0000
+++ NEWS 2011-05-10 01:34:07 +0000
@@ -55,8 +55,8 @@
Bug Fixes and other patches
- - Strengthened escaping of user web data by including some characters that
- some older browsers misinterpret as < or >.
+ - Prevented setting user passwords with leading/trailing whitespace.
+ Bug #778088.
- Mailman now sets the 'secure' flag in cookies set via https URLs.
Bug #770377.
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
