A new list poster password has been implemented. This password may only

be used in Approved: or X-Approved: headers for pre-approving posts.
Using this password for that purpose precludes compromise of a more
valuable password sent in plain text email.  Bug #770581.

1 files changed, 9 insertions, 0 deletions

diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
index c2f57cc4..5d5acd5b 100644
--- a/Mailman/SecurityManager.py
+++ b/Mailman/SecurityManager.py
@@ -83,6 +83,7 @@ class SecurityManager:
         # self.password is really a SecurityManager attribute, but it's set in
         # MailList.InitVars().
         self.mod_password = None
+        self.post_password = None
         # Non configurable
         self.passwords = {}
 
@@ -106,6 +107,9 @@ class SecurityManager:
             secret = self.getMemberPassword(user)
             userdata = urllib.quote(Utils.ObscureEmail(user), safe='')
             key += 'user+%s' % userdata
+        elif authcontext == mm_cfg.AuthListPoster:
+            secret = self.post_password
+            key += 'poster'
         elif authcontext == mm_cfg.AuthListModerator:
             secret = self.mod_password
             key += 'moderator'
@@ -200,6 +204,11 @@ class SecurityManager:
                 key, secret = self.AuthContextInfo(ac)
                 if secret and sha_new(response).hexdigest() == secret:
                     return ac
+            elif ac == mm_cfg.AuthListPoster:
+                # The list poster password must be sha'd
+                key, secret = self.AuthContextInfo(ac)
+                if secret and sha_new(response).hexdigest() == secret:
+                    return ac
             elif ac == mm_cfg.AuthUser:
                 if user is not None:
                     try: