[Mailman-Developers] Re: Mailman and cookies.
Marc MERLIN
marc_news@valinux.com
Tue, 23 Oct 2001 17:10:16 -0700
On Fri, Oct 19, 2001 at 07:24:52PM -0400, Barry A. Warsaw wrote:
>
> >>>>> "CVR" == Chuq Von Rospach <chuqui@plaidworks.com> writes:
>
> CVR> Barry, I think you need to take a look at your cookie code,
> CVR> and look for ways to bullet-proof it. It seems to have some
> CVR> assumptions that I found out the hard way aren't safe.
>
> This patch against Mailman 2.0.6 should be enough to prevent the core
> dumps. If you haven't completed your upgrade yet, can you give it a
> try?
I've the same cookie problems than chuck except that mm's admin interface
returns a 500 error (no core dump, I have python 1.5.2)
Would that patch fix the failures in the admin script when a bad cookie
shows up?
> -------------------- snip snip --------------------
> Index: SecurityManager.py
> ===================================================================
> RCS file: /cvsroot/mailman/mailman/Mailman/SecurityManager.py,v
> retrieving revision 1.31.2.1
> diff -u -r1.31.2.1 SecurityManager.py
> --- SecurityManager.py 2001/07/25 18:07:51 1.31.2.1
> +++ SecurityManager.py 2001/10/19 23:23:12
> @@ -118,7 +118,7 @@
> cookiedata = os.environ.get('HTTP_COOKIE')
> if not cookiedata:
> return 0
> - c = Cookie.Cookie(cookiedata)
> + c = Cookie.Cookie(cookiedata, net_setfunc=lambda x: x)
> if not c.has_key(key):
> return 0
> # Undo the encoding we performed in MakeCookie() above
>
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers@python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key