[Mailman-Users] Controlling Mailman 2.1.x remotely

Mark Sapiro mark at msapiro.net
Sun Aug 10 23:01:02 CEST 2014


On 08/10/2014 01:07 PM, S. Patrick Eaton wrote:
> 
> ... has
> been providing a homegrown administrative interface that uses PHP and curl
> to simulate user interactions via POST.
> 
> When a recent update to Mailman introduced CSRF tokens, however, this
> approach broke down and the organization has been struggling to figure out
> how to manage the lists ever since.


If you are authenticating to the admin interface via a cookie from a
preceding login, you can modify the PHP scripts to first GET the page,
parse the page for the value of csrf_token and submit csrf_token=<value>
along with the POST data.

On the other hand, if you authenticate by including
adminpw=<adminpassword> in the POST data, the CSRF token is not required
as it is only checked if authentication is not via password.

See <http://wiki.list.org/x/Z4A9>.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list