diff options
author | Mark Sapiro <msapiro@value.net> | 2011-04-25 15:18:56 -0700 |
---|---|---|
committer | Mark Sapiro <msapiro@value.net> | 2011-04-25 15:18:56 -0700 |
commit | 663e0178728b6618064743a737f72889f014787e (patch) | |
tree | 3b479b226d4b3315602e96a9c4452b66cf2b564b | |
parent | d994cc918097ea2ce791657ff8d6b8aef8b583f4 (diff) | |
download | mailman2-663e0178728b6618064743a737f72889f014787e.tar.gz mailman2-663e0178728b6618064743a737f72889f014787e.tar.xz mailman2-663e0178728b6618064743a737f72889f014787e.zip |
Mailman now sets the 'secure' flag in cookies set via https URLs.
Bug #770377.
-rw-r--r-- | Mailman/SecurityManager.py | 7 | ||||
-rw-r--r-- | NEWS | 3 |
2 files changed, 9 insertions, 1 deletions
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py index dceb3d00..902c1fdd 100644 --- a/Mailman/SecurityManager.py +++ b/Mailman/SecurityManager.py @@ -245,8 +245,13 @@ class SecurityManager: c[key] = binascii.hexlify(marshal.dumps((issued, mac))) # The path to all Mailman stuff, minus the scheme and host, # i.e. usually the string `/mailman' - path = urlparse(self.web_page_url)[2] + parsed = urlparse(self.web_page_url) + path = parsed.path c[key]['path'] = path + # Make sure to set the 'secure' flag on the cookie if mailman is + # accessed by an https url. + if parsed.scheme == 'https': + c[key]['secure'] = True # We use session cookies, so don't set `expires' or `max-age' keys. # Set the RFC 2109 required header. c[key]['version'] = 1 @@ -38,6 +38,9 @@ Here is a history of user visible changes to Mailman. Bug Fixes and other patches + - Mailman now sets the 'secure' flag in cookies set via https URLs. + Bug #770377. + - Added a logout link to the admindb interface and made both admin and admindb logout effective for a site admin cookie if allowed. Bug #769318. |