[Mailman-Developers] Secure admin pages

Barry A. Warsaw bwarsaw@cnri.reston.va.us (Barry A. Warsaw)
Fri, 17 Dec 1999 00:38:46 -0500 (EST)

>>>>> "DM" == Dan Mick <Dan.Mick@West.Sun.COM> writes:

    DM> We set up an SSL arrangement so our admin password isn't
    DM> traversing the net in clear text, but were temporarily
    DM> thwarted by the fact that the admin CGI scripts sometimes use
    DM> Absolute paths, which didn't include the https://.  I made
    DM> some hacks; comments?  (Does this look right, Barry et. al.?)

What do you think of the following instead.

    def GetScriptURL(self, scriptname, relative=0):
        if relative:
            prefix = '../' * Utils.GetNestingLevel()
        elif self.web_page_url:
            prefix = self.web_page_url
            prefix = mm_cfg.DEFAULT_URL
        i = len(prefix)-1
        while i >= 0 and prefix[i] == '/':
            i = i - 1
        prefix = prefix[:i+1]
        return '%s/%s%s/%s' % (prefix, scriptname, mm_cfg.CGIEXT,

    def GetOptionsURL(self, scriptname, obscure=0, relative=0):
        addr = string.lower(addr)
        url = self.GetScriptURL('options', relative)
        if obscured:
            addr = Utils.ObscureEmail(addr)
        return '%s/%s' % (url, addr)

and getting rid of GetRelativeScriptURL(), GetAbsoluteScriptURL(),
GetAbsoluteOptionsURL().  Also, modifying the rest of the source to
use just one of these two new functions.

If you like it, I'll make these changes to the CVS tree.

    DM> How does the putback process usually work?  Does someone
    DM> review code, or do we have a "holding area" that's protected
    DM> somehow, or?...

Basically, post the code to mailman-developers, or send it to
mailman-cabal.  It's up to one of the core maintainers to integrate it
with the CVS code base.