[ mailman-Bugs-1120477 ] Traceback in private.py after security patch

SourceForge.net noreply at sourceforge.net
Fri Feb 11 12:32:00 CET 2005 

Bugs item #1120477, was opened at 2005-02-10 19:39
Message generated for change (Comment added) made by rgoun
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1120477&group_id=103

Category: Web/CGI
Group: 2.1 (stable)
>Status: Closed
>Resolution: Invalid
Priority: 5
Submitted By: Roger H. Goun (rgoun)
Assigned to: Nobody/Anonymous (nobody)
Summary: Traceback in private.py after security patch

Initial Comment:
I applied the patch at
http://www.list.org/CAN-2005-0202.txt to a
Mailman 2.1.4 installation and restarted the Web
server. The first time I tried to access the archives
for a private list using an email address that's *not*
subscribed to the list, I got the traceback below.

I backed out the patch and restarted the Web server. I
now get the
correct "Authorization failed." message.

Note that for the sake of paranoia I've obfuscated my
email address,
changed the names of private lists, and flipped a few
bits in the
cookie data and remote address below.

-- Roger

---------------

Bug in Mailman version 2.1.4

We're sorry, we hit a bug!

If you would like to help us identify the problem,
please email a copy of this page to the webmaster for
this site with a description of what happened. Thanks!
Traceback:

Traceback (most recent call last):
  File "/usr/local/mailman/scripts/driver", line 87, in
run_main
    main()
  File "/usr/local/mailman/Mailman/Cgi/private.py",
line 124, in main
    password, username):
  File "/usr/local/mailman/Mailman/SecurityManager.py",
line 220, in WebAuthenticate
    ok = self.CheckCookie(ac, user)
  File "/usr/local/mailman/Mailman/SecurityManager.py",
line 300, in CheckCookie
    ok = self.__checkone(c, authcontext, user)
  File "/usr/local/mailman/Mailman/SecurityManager.py",
line 310, in __checkone
    key, secret = self.AuthContextInfo(authcontext, user)
  File "/usr/local/mailman/Mailman/SecurityManager.py",
line 105, in AuthContextInfo
    secret = self.getMemberPassword(user)
  File
"/usr/local/mailman/Mailman/OldStyleMemberships.py",
line 102, in getMemberPassword
    raise Errors.NotAMemberError, member
NotAMemberError: roger-no at spam-bcah.com



Python information:

Variable	Value
sys.version	2.2.2 (#1, Jan 30 2003, 21:26:22) [GCC 2.96
20000731 (Red Hat Linux 7.3 2.96-112)]
sys.executable	/usr/bin/python2.2
sys.prefix	/usr
sys.exec_prefix	/usr
sys.path	/usr
sys.platform	linux2

Environment variables:

Variable	Value
PATH_INFO 	/dfnh-foo/
HTTP_ACCEPT 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
CONTENT_TYPE 	application/x-www-form-urlencoded
HTTP_REFERER 
http://mail.democracyfornewhampshire.com/mailman/private/dfnh-foo/
SERVER_SOFTWARE 	Apache/1.3.27 (Unix) (Red-Hat/Linux)
mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12
OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
mod_throttle/3.1.2
PYTHONPATH 	/usr/local/mailman
SCRIPT_FILENAME 	/usr/local/mailman/cgi-bin/private
SERVER_ADMIN 	roger-no at spam-bcah.com
SCRIPT_NAME 	/mailman/private
SERVER_SIGNATURE 	
Apache/1.3.27 Server at democracyfornewhampshire.com
Port 80
REQUEST_METHOD 	POST
HTTP_HOST 	mail.democracyfornewhampshire.com
HTTP_KEEP_ALIVE 	300
SERVER_PROTOCOL 	HTTP/1.1
QUERY_STRING 	
REQUEST_URI 	/mailman/private/dfnh-foo/
CONTENT_LENGTH 	63
HTTP_ACCEPT_CHARSET 	ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_USER_AGENT 	Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0
HTTP_CONNECTION 	keep-alive
HTTP_COOKIE 
dfnh-board+user+roger-no--at--spam-bcah.com=280200000069caae0b42732800000063346130393963653330656239633862643737356337626437396561663334363862343563643536;
dfnh-members+admin=280200000069dcee0b42732800000033353539613836343166396565376030323966663963313435646564633734303837666366666230
SERVER_NAME 	democracyfornewhampshire.com
REMOTE_ADDR 	24.35.177.35
REMOTE_PORT 	38224
HTTP_ACCEPT_LANGUAGE 	en-us,en;q=0.5
PATH_TRANSLATED 
/home/roger/democracyfornewhampshire.com/html/dfnh-foo/
SERVER_PORT 	80
GATEWAY_INTERFACE 	CGI/1.1
HTTP_ACCEPT_ENCODING 	gzip,deflate
SERVER_ADDR 	199.125.75.14
DOCUMENT_ROOT 
/home/roger/democracyfornewhampshire.com/html

----------------------------------------------------------------------

>Comment By: Roger H. Goun (rgoun)
Date: 2005-02-11 06:32

Message:
Logged In: YES 
user_id=3950

I deleted cookies and tried again. This time I got the
"Authorization failed." message.

Sorry for the false alarm.

----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-02-10 20:33

Message:
Logged In: YES 
user_id=67709

The security patch should have nothing to do with the trace
back. Will you please try again after deleting cookies of
this site?
(not disable but delete existing cookies)


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1120477&group_id=103

More information about the Mailman-coders mailing list