aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman/Cgi
diff options
context:
space:
mode:
authorMark Sapiro <msapiro@value.net>2011-04-25 16:52:35 -0700
committerMark Sapiro <msapiro@value.net>2011-04-25 16:52:35 -0700
commitaa8dd12bd7f3c442cdcc702b6bb1d8cabbca7d40 (patch)
treee94b411dc9cfcefc5346df1fdff8264f195c43f7 /Mailman/Cgi
parent7ef6c582816cb349f240054064d495753a916408 (diff)
downloadmailman2-aa8dd12bd7f3c442cdcc702b6bb1d8cabbca7d40.tar.gz
mailman2-aa8dd12bd7f3c442cdcc702b6bb1d8cabbca7d40.tar.xz
mailman2-aa8dd12bd7f3c442cdcc702b6bb1d8cabbca7d40.zip
A new list poster password has been implemented. This password may only
be used in Approved: or X-Approved: headers for pre-approving posts. Using this password for that purpose precludes compromise of a more valuable password sent in plain text email. Bug #770581.
Diffstat (limited to 'Mailman/Cgi')
-rw-r--r--Mailman/Cgi/admin.py27
1 files changed, 27 insertions, 0 deletions
diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py
index 22ebe16a..569aa61c 100644
--- a/Mailman/Cgi/admin.py
+++ b/Mailman/Cgi/admin.py
@@ -1258,6 +1258,22 @@ and also provide the email addresses of the list moderators in the
PasswordBox('confirmmodpw', size=20)])
# Add these tables to the overall password table
table.AddRow([atable, mtable])
+ table.AddRow([_("""\
+In addition to the above passwords you may specify a password for
+pre-approving posts to the list. Either of the above two passwords can
+be used in an Approved: header or first body line pseudo-header to
+pre-approve a post that would otherwise be held for moderation. In
+addition, the password below, if set, can be used for that purpose and
+no other.""")])
+ table.AddCellInfo(table.GetCurrentRowIndex(), 0, colspan=2)
+ # Set up the post password table
+ ptable = Table(border=0, cellspacing=3, cellpadding=4,
+ bgcolor=mm_cfg.WEB_ADMINPW_COLOR)
+ ptable.AddRow([Label(_('Enter new poster password:')),
+ PasswordBox('newpostpw', size=20)])
+ ptable.AddRow([Label(_('Confirm poster password:')),
+ PasswordBox('confirmpostpw', size=20)])
+ table.AddRow([ptable])
return table
@@ -1288,6 +1304,17 @@ def change_options(mlist, category, subcat, cgidata, doc):
# password doesn't get you into these pages.
else:
doc.addError(_('Moderator passwords did not match'))
+ # Handle changes to the list poster password. Do this before checking
+ # the new admin password, since the latter will force a reauthentication.
+ new = cgidata.getvalue('newpostpw', '').strip()
+ confirm = cgidata.getvalue('confirmpostpw', '').strip()
+ if new or confirm:
+ if new == confirm:
+ mlist.post_password = sha_new(new).hexdigest()
+ # No re-authentication necessary because the poster's
+ # password doesn't get you into these pages.
+ else:
+ doc.addError(_('Poster passwords did not match'))
# Handle changes to the list administrator password
new = cgidata.getvalue('newpw', '').strip()
confirm = cgidata.getvalue('confirmpw', '').strip()