On Nov 24, 2012, at 4:11 PM, Mark Sapiro mark@msapiro.net wrote:
Mark Sapiro wrote at http://mail.python.org/pipermail/mailman-users/2012-November/074415.html:
I have implemented a simple version of what I think you requested in your post at http://mail.python.org/pipermail/mailman-users/2012-October/074287.html.
It is implemented by the attached patch against Mailman 2.1.15.
I have augmented that patch with a timestamp and it now also checks that the hash is no older than mm_cfg.FORM_LIFETIME. See https://launchpad.net/bugs/1082746 and http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1371 for a bug report and the patch which will be released with Mailman 2.1.16.
I would like to apply this same patch to a 2.1.14 installation.
I downloaded the three modified files from this patch, and diffed them against 2.1.14 files. It looks like this patch will mostly apply to 2.1.14, but I'm not sure about the differences relating to comparing passwords, and the use of "strip." See 128,129c146,147 in the patch below for the what I am asking about.
Here is my diff:
1c1 < # Copyright (C) 1998-2009 by the Free Software Foundation, Inc.
# Copyright (C) 1998-2012 by the Free Software Foundation, Inc. 22a23 import time 112c113 < email = cgidata.getvalue('email', '')
email = cgidata.getvalue('email', '').strip()
122a124,140
# Are we checking the hidden data? if mm_cfg.SUBSCRIBE_FORM_SECRET: now = int(time.time()) try: ftime, fhash = cgidata.getvalue('sub_form_token', '').split(':') then = int(ftime) except ValueError: ftime = fhash = '' then = now token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ftime + mlist.internal_name() + remote).hexdigest() if now - then > mm_cfg.FORM_LIFETIME: results.append(_('The form is too old. Please GET it again.')) if token != fhash: results.append(_('You must GET the form before submitting it.'))
128,129c146,147 < password = cgidata.getvalue('pw') < confirmed = cgidata.getvalue('pw-conf')
password = cgidata.getvalue('pw', '').strip() confirmed = cgidata.getvalue('pw-conf', '').strip()
131c149 < if password is None and confirmed is None:
if not password and not confirmed:
133c151 < elif password is None or confirmed is None:
elif not password or not confirmed: