On 08/10/2014 01:07 PM, S. Patrick Eaton wrote: > > ... has > been providing a homegrown administrative interface that uses PHP and curl > to simulate user interactions via POST. > > When a recent update to Mailman introduced CSRF tokens, however, this > approach broke down and the organization has been struggling to figure out > how to manage the lists ever since.
If you are authenticating to the admin interface via a cookie from a preceding login, you can modify the PHP scripts to first GET the page, parse the page for the value of csrf_token and submit csrf_token=<value> along with the POST data. On the other hand, if you authenticate by including adminpw=<adminpassword> in the POST data, the CSRF token is not required as it is only checked if authentication is not via password. See <http://wiki.list.org/x/Z4A9>. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
