[Bug 1160647] Re: request forgery check displayed when only viewingadmin pages

Mark Sapiro mark at msapiro.net
Sun Apr 7 03:13:14 CEST 2013 

>The reason why no error message is displayed right after login is that
>the login process is itself a form submission, and those are working as
>initially stated. So the problem is not really "caused" by clicking one
>of the page top links, also indicated by a browser page refresh also
>showing the error message.


OK, I didn't understand that the problem only didn't occur when coming
from the login screen. I thought you were OK on the direct URL visit
even if already logged in. But I guess not.


>This is what happens:
>- the cgi-wrapper 'cgi-bin/admin' calls 'scripts/driver' with the scriptname as first parameter (i.e. 'admin')
>- 'scripts/driver' then uses 'sys.argv[1]' to find out it has to call 'main()' in 'Cgi/admin.py', but leaves 'sys.argv' intact
>- 'Cgi/admin.py' then calls the FieldStorage constructor which finds data in 'sys.argv[1]'
>(the FieldStorage class blows my mind, so I didn't bother digging to the point where this actually turns into a request parameter value)
>
>Could this be a problem with python2.7 (default on my system) instead of
>python3? Since the 'printenv' code you suggested is also python2 syntax
>I guess this should be a working configuration, no?


AFIK, Mailman 2.1 has not been well tested if at all with Python 2.7.
It definitely will not work with Python 3.x. This CGI has been well
exercised with Pythons 2.1 through 2.6,

I will investigate the possibility of a Python 2.7 issue. It's time I
upgraded my test platforms and production server anyway ;)


>Just for the record: in 'scripts/driver', below line 94 which reads
>'scriptname = sys.argv[1]' I added a new line: 'sys.argv[1] = ""' which
>indeed made the error message disappear. Didn't test full functionality
>though.


It should be OK if it works. Even better might be

        del sys.argv[1]

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1160647

Title:
  request forgery check displayed when only viewing admin pages

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1160647/+subscriptions

More information about the Mailman-coders mailing list