Changing cookie name in mailman 2.1.26
Hi,
I would like to know how easy it would be to change the name of the user cookie?
The reason being we have recently deployed a WAF in front of our mailman web instances and although its in detection mode (not prevention yet) it is picking up the mailman user cookie as containing SQL Injection or rather a SQL Comment.
The WAF uses OWASP 3.0 rules and the rule matched is 942440.
Mailman sets a cookie name in the form list+user+email--at--domain and its that “--at” that is detected as SQL Comment; I really don’t want to disable the rule and applying an ignore rule within the WAF doesn’t work.
If someone could let me know, yes its possible that would be great. Actually if someone could say look at this file and that file that would be a great help too.
I don’t know python, but I am a web developer (.Net).
Many thanks
Chris
On 4/21/20 3:30 AM, Chris Joyce wrote:
Hi,
I would like to know how easy it would be to change the name of the user cookie? ... If someone could let me know, yes its possible that would be great. Actually if someone could say look at this file and that file that would be a great help too.
The relevant code is Mailman/SecurityManager.py line 108 which says
userdata = urllib.quote(Utils.ObscureEmail(user), safe='')Utils.ObscureEmail(user) is what replaces the '@' in the email address with '--at--'. I think it would be fine to just change that line to
userdata = urllib.quote(user, safe='')This will leave the '@' unchanged in user, but urllib.quote will change
it to %40 which I think is OK. The Cookie name is a 'token' as defined
in RFC 2616, sec 2.2 and allows '%' (but not '@'). The inversion at
lines 318-319 does Utils.UnobscureEmail(urllib.unquote(u)).
urllib.unquote will convert %40 back to @ and UnobscureEmail will ignore
the '@', so all should be good.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Chris Joyce -
Mark Sapiro