diff options
author | Mark Sapiro <mark@msapiro.net> | 2009-09-03 11:12:06 -0700 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2009-09-03 11:12:06 -0700 |
commit | ceb88caaee06806576bbaab2a4a313d9e7823d07 (patch) | |
tree | 702f957c2f01004481e477805ea2b6449a289ea6 | |
parent | ab93e70f12da510902dffa7a393f5173c2073d6e (diff) | |
download | mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.tar.gz mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.tar.xz mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.zip |
Inadvertently setting a null site or list password allowed access
to a list's web admin interface without authentication. Fixed by
not accepting null passwords.
-rw-r--r-- | Mailman/SecurityManager.py | 3 | ||||
-rw-r--r-- | NEWS | 4 |
2 files changed, 7 insertions, 0 deletions
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py index fc2ffd92..dceb3d00 100644 --- a/Mailman/SecurityManager.py +++ b/Mailman/SecurityManager.py @@ -137,6 +137,9 @@ class SecurityManager: # # Return the authcontext from the argument sequence that matches the # response, or UnAuthorized. + if not response: + # Don't authenticate null passwords + return mm_cfg.UnAuthorized for ac in authcontexts: if ac == mm_cfg.AuthCreator: ok = Utils.check_global_password(response, siteadmin=0) @@ -8,6 +8,10 @@ Here is a history of user visible changes to Mailman. Bug Fixes and other patches + - Inadvertently setting a null site or list password allowed access + to a list's web admin interface without authentication. Fixed by + not accepting null passwords. + - Changed VERP_CONFIRM_REGEXP in Defaults.py to work if the replying MUA folds the To: header and in cases where the list name includes '+'. |