[Mailman-Developers] REST API returning value of password field in user record

Barry Warsaw barry at list.org
Sat Jan 10 05:05:29 CET 2015

On Jan 10, 2015, at 10:58 AM, Andrew Stuart wrote:

>I’m aware that it’s not the actual cleartext password.
>From a security perspective should even salted and hashed passwords should
>stay behind the API or might there be a need for something on the other side
>of the API to access that field?

Keeping in mind that the core's REST API is a privileged API, only to be
exposed over localhost, it is intended to make the hashed password field
available.  For a public facing proxy, I would expect this field to be
filtered out.


More information about the Mailman-Developers mailing list