aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2009-09-03 11:12:06 -0700
committerMark Sapiro <mark@msapiro.net>2009-09-03 11:12:06 -0700
commitceb88caaee06806576bbaab2a4a313d9e7823d07 (patch)
tree702f957c2f01004481e477805ea2b6449a289ea6
parentab93e70f12da510902dffa7a393f5173c2073d6e (diff)
downloadmailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.tar.gz
mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.tar.xz
mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.zip
Inadvertently setting a null site or list password allowed access
to a list's web admin interface without authentication. Fixed by not accepting null passwords.
-rw-r--r--Mailman/SecurityManager.py3
-rw-r--r--NEWS4
2 files changed, 7 insertions, 0 deletions
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
index fc2ffd92..dceb3d00 100644
--- a/Mailman/SecurityManager.py
+++ b/Mailman/SecurityManager.py
@@ -137,6 +137,9 @@ class SecurityManager:
#
# Return the authcontext from the argument sequence that matches the
# response, or UnAuthorized.
+ if not response:
+ # Don't authenticate null passwords
+ return mm_cfg.UnAuthorized
for ac in authcontexts:
if ac == mm_cfg.AuthCreator:
ok = Utils.check_global_password(response, siteadmin=0)
diff --git a/NEWS b/NEWS
index cc3f2e48..f2228cc3 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,10 @@ Here is a history of user visible changes to Mailman.
Bug Fixes and other patches
+ - Inadvertently setting a null site or list password allowed access
+ to a list's web admin interface without authentication. Fixed by
+ not accepting null passwords.
+
- Changed VERP_CONFIRM_REGEXP in Defaults.py to work if the replying
MUA folds the To: header and in cases where the list name includes '+'.