[Mailman-Developers] REST API returning value of password field in user record

Stephen J. Turnbull stephen at xemacs.org
Sat Jan 10 05:57:38 CET 2015

Andrew Stuart writes:

 > From a security perspective should even salted and hashed passwords
 > should stay behind the API or might there be a need for something
 > on the other side of the API to access that field?

At present the REST API is available only on localhost (at least by
default), so it's not that big a risk (yes, I understand defense in
depth, but there's a need of corresponding importance).  In the
absence of a proper authz/authn module inside of Mailman itself, I
don't see a real alternative to making that data available to
mailman.client, and thus making it possible for other user apps
(HyperKitty, Postorius) to get authorization to access a specific
user's data.

In the long run we need to do something about this.  However, Mailman
has operated based on passing around *cleartext* passwords by *email*
for decades, with no serious issues that I know of.

If Barry is serious about World Domination, we need to fix this, but I
don't see a huge hurry.


More information about the Mailman-Developers mailing list