aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <msapiro@value.net>2011-04-25 15:18:56 -0700
committerMark Sapiro <msapiro@value.net>2011-04-25 15:18:56 -0700
commit663e0178728b6618064743a737f72889f014787e (patch)
tree3b479b226d4b3315602e96a9c4452b66cf2b564b
parentd994cc918097ea2ce791657ff8d6b8aef8b583f4 (diff)
downloadmailman2-663e0178728b6618064743a737f72889f014787e.tar.gz
mailman2-663e0178728b6618064743a737f72889f014787e.tar.xz
mailman2-663e0178728b6618064743a737f72889f014787e.zip
Mailman now sets the 'secure' flag in cookies set via https URLs.
Bug #770377.
-rw-r--r--Mailman/SecurityManager.py7
-rw-r--r--NEWS3
2 files changed, 9 insertions, 1 deletions
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
index dceb3d00..902c1fdd 100644
--- a/Mailman/SecurityManager.py
+++ b/Mailman/SecurityManager.py
@@ -245,8 +245,13 @@ class SecurityManager:
c[key] = binascii.hexlify(marshal.dumps((issued, mac)))
# The path to all Mailman stuff, minus the scheme and host,
# i.e. usually the string `/mailman'
- path = urlparse(self.web_page_url)[2]
+ parsed = urlparse(self.web_page_url)
+ path = parsed.path
c[key]['path'] = path
+ # Make sure to set the 'secure' flag on the cookie if mailman is
+ # accessed by an https url.
+ if parsed.scheme == 'https':
+ c[key]['secure'] = True
# We use session cookies, so don't set `expires' or `max-age' keys.
# Set the RFC 2109 required header.
c[key]['version'] = 1
diff --git a/NEWS b/NEWS
index e0072b92..6fe291f5 100644
--- a/NEWS
+++ b/NEWS
@@ -38,6 +38,9 @@ Here is a history of user visible changes to Mailman.
Bug Fixes and other patches
+ - Mailman now sets the 'secure' flag in cookies set via https URLs.
+ Bug #770377.
+
- Added a logout link to the admindb interface and made both admin and
admindb logout effective for a site admin cookie if allowed.
Bug #769318.