[Mailman-Developers] REST API returning value of password field in user record
barry at list.org
Sat Jan 10 05:05:29 CET 2015
On Jan 10, 2015, at 10:58 AM, Andrew Stuart wrote:
>I’m aware that it’s not the actual cleartext password.
>From a security perspective should even salted and hashed passwords should
>stay behind the API or might there be a need for something on the other side
>of the API to access that field?
Keeping in mind that the core's REST API is a privileged API, only to be
exposed over localhost, it is intended to make the hashed password field
available. For a public facing proxy, I would expect this field to be
More information about the Mailman-Developers