[ mailman-Bugs-1090439 ] password reminder can be shunt when encoding usascii

SourceForge.net noreply at sourceforge.net
Tue Jan 18 13:12:37 CET 2005


Bugs item #1090439, was opened at 2004-12-23 17:31
Message generated for change (Comment added) made by ber
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1090439&group_id=103

Category: None
Group: 2.1 (stable)
Status: Closed
Resolution: Fixed
Priority: 5
Submitted By: Bernhard Reiter (ber)
Assigned to: Tokio Kikuchi (tkikuchi)
Summary: password reminder can be shunt when encoding usascii

Initial Comment:
One user here has a password with characters which 
are not in usascii. The default language of the Mailman
installation is English (USA) which gives usascii as
encoding.
This is a stable Debian with Python 2.1.3.

The password reminders to be send to this person are
shunted
because of:

Uncaught runner exception: ASCII encoding error:
ordinal not in range(128)
  File
"/home/services/mailman/Mailman/Queue/Runner.py", line
111, in _oneloop
    self._onefile(msg, msgdata)
  File
"/home/services/mailman/Mailman/Queue/Runner.py", line
167, in _onefile
    keepqueued = self._dispose(mlist, msg, msgdata)
  File
"/home/services/mailman/Mailman/Queue/OutgoingRunner.py",
line 73, in _dispose
    self._func(mlist, msg, msgdata)
  File
"/home/services/mailman/Mailman/Handlers/SMTPDirect.py",
line 152, in process
    deliveryfunc(mlist, msg, msgdata, envsender,
refused, conn)
  File
"/home/services/mailman/Mailman/Handlers/SMTPDirect.py",
line 356, in bulkdeliver
    msgtext = msg.as_string()
  File "/home/services/mailman/Mailman/Message.py",
line 208, in as_string
    g.flatten(self, unixfrom=unixfrom)
  File
"/home/services/mailman/pythonlib/email/Generator.py",
line 102, in flatten
    self._write(msg)
  File
"/home/services/mailman/pythonlib/email/Generator.py",
line 130, in _write
    self._dispatch(msg)
  File
"/home/services/mailman/pythonlib/email/Generator.py",
line 156, in _dispatch
    meth(msg)
  File
"/home/services/mailman/pythonlib/email/Generator.py",
line 202, in _handle_text
    self._fp.write(payload)
UnicodeError: ASCII encoding error: ordinal not in
range(128)

----------------------------------------------------------------------

>Comment By: Bernhard Reiter (ber)
Date: 2005-01-18 13:12

Message:
Logged In: YES 
user_id=113859

It might not be the right place to discuss it,
but the restriction of character sets
makes it easier to guess and try the password
and less usable for non-English users because they probably
have a harder time remembering the password.

----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-01-18 01:11

Message:
Logged In: YES 
user_id=67709

OK, fix was in time for 2.1.6 for password reminder from web
interface only; monthly reminder has already been fixed.
Password retrieval by mail command is still not fixed. 8bit
password by mail command needs more study because the
request mail might be encoded (quoted or base64).

I would prefer restricting password characters within
ascii-printables because there is no cryptography in mailman
user passwords. You only get (steal) the config file to get
the plain text password. You don't have to run 'crack' to
guess the password from crypted passwd entry like in Unix.

In any event, next major version of mailman should be free
of user password.



----------------------------------------------------------------------

Comment By: Bernhard Reiter (ber)
Date: 2005-01-17 12:27

Message:
Logged In: YES 
user_id=113859

If a user changes his password and just types a character
on the keyboard that is non-usascii. :-)

Restricting the password characters to usascii seems to be a bad
idea because it will lower the possibilities for passwords,
making them cryptographically weaker.

----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-01-17 01:42

Message:
Logged In: YES 
user_id=67709

Sorry but fix will be after 2.1.6 release. In the meantime,
the site owner can reset the password of this person from
bin/withlist script.


----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-01-17 01:39

Message:
Logged In: YES 
user_id=67709

I have no idea how laten-1 8bit characters to be included in
a us-ascii english list password reminder. Maybe we should
restrict password within us-ascii printables. I want to work
on this direction so I am assigning this to myself.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1090439&group_id=103


More information about the Mailman-coders mailing list