[Mailman-Users] mm2.1 cookie problem?

Bryan Fullerton bryanf at samurai.com
Wed Jan 8 05:36:22 CET 2003

On Tuesday, January 7, 2003, at 12:15 AM, Barry A. Warsaw wrote:

> BTW, for the hacker inclined, an possibly useful way to debug this is
> to edit SecurityManager.py, the __checkone() method.  Stick something
> like this before the first try: line (untested):
>     syslog('debug', 'key: %s, c[key]: %s, val: %s', key, c[key], 
> c[key].value)
> then tail logs/debug until you see the problem.  Maybe something
> interesting will show up.

I finally had time in the past half hour to dedicate to debugging this 
using syslog() thrown in at various places in SecurityManager.py.

The result of that is... we don't even get to __checkone(). If there 
are *any* mm2.0 cookies in the URI-space mm2.1 looks in, the following 
code will always raise a Cookie.CookieException and return 0.

         # Treat the cookie data as simple strings, and do application 
         # decoding as necessary.  By using SimpleCookie, we prevent any 
         # of security breach due to untrusted cookie data being 
         # (which is quite unsafe).
             c = Cookie.SimpleCookie(cookiedata)
         except Cookie.CookieError:
             return 0

If python's Cookie code (or at least SimpleCookie) doesn't like cookies 
with :'s in them that'd explain it.

This is rather a problem for anyone thinking they could run both mm2.0 
and mm2.1 mapped into the same URI-space. Simply put, you can't 
(without re-auth'ing with every action in 2.1 lists), unless the mm2.1 
code is rewritten to handle that exception better. Or unless you nuke 
all your cookies after every use of a 2.0 list (not just logout - in my 
testing that doesn't actually remove the cookie, just the cookie's 

The good news is that this should be no problem once everything is 
moved to 2.1.


More information about the Mailman-Users mailing list