I just noticed that the token value used in private.py is just hash(list_name). A simple improvement is to change it to hash(SECRET
list_name) and then change the value of SECRET in private.py. An even better solution would be to do an MD5 hash of SECRET + list_name, but is it OK to assume that the md5 module is present?)
(I haven't done a patch for md5 support; let me know if I should.)
Also, since setting an archive to private doesn't seem to change the directory where it's archived, this means you have to configure the Web server accordingly. This should be documented somewhere; is it?
-- A.M. Kuchling http://starship.skyport.net/crew/amk/ "All we know for sure is that we don't know anything for sure." "That is a particularly foolish thing to say, John Constantine. Light and darkness, life and death. These things are eternally certain." -- John Constantine and Dr Occult, in BOOKS OF MAGIC #1
*** private.py~ Mon Oct 19 16:14:54 1998 --- private.py Tue Dec 1 11:00:06 1998
*** 98,102 ****
c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
if c.has_key(list_name):
! if c[list_name].value == hash(list_name):
return 1
# No corresponding cookie. OK, then check for username, password
--- 98,102 ----
c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
if c.has_key(list_name):
! if c[list_name].value == hash(SECRET + list_name):
return 1
# No corresponding cookie. OK, then check for username, password
*** 129,133 **** return 0
! token = hash(list_name)
c = Cookie.Cookie()
c[list_name] = token
--- 129,133 ----
return 0
! token = hash(SECRET + list_name)
c = Cookie.Cookie()
c[list_name] = token
It is no more secure to have SECRET defined in the source code than to not have it at all.
If anyone is going to spoof a cookie, then looking up the value of secret in the mailman distribution is trivial.
While I'm not familiar with the benetits of md5 vs hash (it seems like both would be pretty much equally spoofable, and md5 just involves an extra import but i could be wrong), If we want to protect from cookie spoofing, then there should be a config variable for COOKIE_SECRET or the hash or md5 of the list_name concatenated to the admin site password might work. The point is to make SECRET variable.
One potential drawback of md5 is that it can produce characters which need special escaping for http transactions.
scott
On Tue, Dec 01, 1998 at 11:03:49AM -0500, Andrew M. Kuchling wrote:
| I just noticed that the token value used in private.py is just
| hash(list_name). A simple improvement is to change it to hash(SECRET
| + list_name) and then change the value of SECRET in private.py. An
| even better solution would be to do an MD5 hash of SECRET + list_name,
| but is it OK to assume that the md5 module is present?)
|
| (I haven't done a patch for md5 support; let me know if I should.)
|
| Also, since setting an archive to private doesn't seem to
| change the directory where it's archived, this means you have to
| configure the Web server accordingly. This should be documented
| somewhere; is it?
|
| --
| A.M. Kuchling http://starship.skyport.net/crew/amk/
| "All we know for sure is that we don't know anything for sure."
| "That is a particularly foolish thing to say, John Constantine. Light and
| darkness, life and death. These things are eternally certain."
| -- John Constantine and Dr Occult, in BOOKS OF MAGIC #1
|
|
| *** private.py~ Mon Oct 19 16:14:54 1998
| --- private.py Tue Dec 1 11:00:06 1998
| ***************
| *** 98,102 ****
| c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
| if c.has_key(list_name):
| ! if c[list_name].value == hash(list_name):
| return 1
| # No corresponding cookie. OK, then check for username, password
| --- 98,102 ----
| c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
| if c.has_key(list_name):
| ! if c[list_name].value == hash(SECRET + list_name):
| return 1
| # No corresponding cookie. OK, then check for username, password
| ***************
| *** 129,133 ****
| return 0
|
| ! token = hash(list_name)
| c = Cookie.Cookie()
| c[list_name] = token
| --- 129,133 ----
| return 0
|
| ! token = hash(SECRET + list_name)
| c = Cookie.Cookie()
| c[list_name] = token
|
|
| _______________________________________________
| Mailman-Developers maillist - Mailman-Developers@python.org
| http://www.python.org/mailman/listinfo/mailman-developers
|
participants (2)
-
Andrew M. Kuchling -
Scott