[Bug 871415] Re: "Approved:" password not stripped when list in BCC

Mark Sapiro mark at msapiro.net
Tue Oct 11 18:59:21 CEST 2011

*** This bug is a duplicate of bug 266220 ***

This is a known issue. We remove the Approved: <password> text from any
part in which we can find it, but we can't deal with all pathological
HTML renderings, so this is only best effort, not a guarantee. That is
why we strongly recommend using a true header rather than the first body
line, but you probably can't do that with the gmail web client either.

Note that in Mailman 2.1.15, there will be a 'poster' password that is
only for pre-approving posts, thus minimizing the consequences of
leaking the password as you don't have to use the admin or moderator
password. See <https://bugs.launchpad.net/mailman/+bug/770581>.

If you post an excerpt of the exact HTML from which removal failed (you
can mung the password) to the original bug
<https://bugs.launchpad.net/mailman/+bug/266220>, I'll try to recognize
that case. Note that the current code looks for a match of the
"(X-)Approve(d): password" string it found in the plain text, but with
any combination of spaces, \xA0 and &nbsp; between the : and the
password. It will not find a match if there is a newline inserted, but
it does decode base64 and quoted-printable HTML parts before looking.

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to the bug report.

  "Approved:" password not stripped when list in BCC

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list