Prevented setting user passwords with leading/trailing whitespace. Bug #778088.

4 files changed, 12 insertions, 12 deletions

diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 6841ae64..6316af6e 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -434,8 +434,8 @@ address.  Upon confirmation, any other mailing list containing the address
             options_page(mlist, doc, user, cpuser, userlang)
             print doc.Format()
             return
-        newpw = cgidata.getvalue('newpw')
-        confirmpw = cgidata.getvalue('confpw')
+        newpw = cgidata.getvalue('newpw', '').strip()
+        confirmpw = cgidata.getvalue('confpw', '').strip()
         if not newpw or not confirmpw:
             options_page(mlist, doc, user, cpuser, userlang,
                          _('Passwords may not be blank'))
diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py
index d31608ff..6260c973 100644
--- a/Mailman/Cgi/roster.py
+++ b/Mailman/Cgi/roster.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -73,8 +73,8 @@ def main():
     # "admin"-only, then we try to cookie authenticate the user, and failing
     # that, we check roster-email and roster-pw fields for a valid password.
     # (also allowed: the list moderator, the list admin, and the site admin).
-    password = cgidata.getvalue('roster-pw', '')
-    addr = cgidata.getvalue('roster-email', '')
+    password = cgidata.getvalue('roster-pw', '').strip()
+    addr = cgidata.getvalue('roster-email', '').strip()
     list_hidden = (not mlist.WebAuthenticate((mm_cfg.AuthUser,),
                                              password, addr)
                    and mlist.WebAuthenticate((mm_cfg.AuthListModerator,
diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py
index 0d10eb19..7c49c51c 100644
--- a/Mailman/Cgi/subscribe.py
+++ b/Mailman/Cgi/subscribe.py
@@ -125,12 +125,12 @@ def process_form(mlist, doc, cgidata, lang):
         syslog('mischief', 'Attempt to self subscribe %s: %s', email, remote)
         results.append(_('You may not subscribe a list to itself!'))
     # If the user did not supply a password, generate one for him
-    password = cgidata.getvalue('pw')
-    confirmed = cgidata.getvalue('pw-conf')
+    password = cgidata.getvalue('pw', '').strip()
+    confirmed = cgidata.getvalue('pw-conf', '').strip()
 
-    if password is None and confirmed is None:
+    if not password and not confirmed:
         password = Utils.MakeRandomPassword()
-    elif password is None or confirmed is None:
+    elif not password or not confirmed:
         results.append(_('If you supply a password, you must confirm it.'))
     elif password <> confirmed:
         results.append(_('Your passwords did not match.'))
diff --git a/NEWS b/NEWS
index f6287bb7..02604231 100644
--- a/NEWS
+++ b/NEWS
@@ -55,8 +55,8 @@ Here is a history of user visible changes to Mailman.
 
   Bug Fixes and other patches
 
-    - Strengthened escaping of user web data by including some characters that
-      some older browsers misinterpret as < or >.
+    - Prevented setting user passwords with leading/trailing whitespace.
+      Bug #778088.
 
     - Mailman now sets the 'secure' flag in cookies set via https URLs.
       Bug #770377.