[Mailman-Developers] Do we need the password in the HTML of the confirm page?
Barry A. Warsaw
barry@zope.com
Mon, 4 Mar 2002 15:09:25 -0500
>>>>> "MM" == Marc MERLIN <marc_news@vasoftware.com> writes:
MM> When I went to:
MM> http://gandalf-lists.merlins.org/lists/confirm/test2/372ff4ab4ca390f3c3bfabd47cd78e92489a0b5d
MM> (don't bother trying, it's localhost on my laptop :-D) I get
MM> an HTML page to confirm my subscription.
MM> I haven't looked at the code in details, but does mailman need
MM> to put the list password in cleartext in the HTML? (if the
MM> answer is "yes", then never mind)
MM> It's not the end of the world, but if someone puts my Email by
MM> mistake (one letter typo or something in a company), I can get
MM> his mailman password, and with a little luck that password
MM> could work in other places too (not that the person is
MM> supposed to use the same password, but...)
I don't think Mailman needs to put the password on this page. I've
disabled it, and included a note that the password can be changed once
the user is subscribed.
-Barry