Mailman now sets the 'secure' flag in cookies set via https URLs.

Bug #770377.
author: Mark Sapiro <msapiro@value.net> 2011-04-25 15:18:56 -0700
committer: Mark Sapiro <msapiro@value.net> 2011-04-25 15:18:56 -0700
commit: 663e0178728b6618064743a737f72889f014787e (patch)
tree: 3b479b226d4b3315602e96a9c4452b66cf2b564b /Mailman
parent: d994cc918097ea2ce791657ff8d6b8aef8b583f4 (diff)
download: mailman2-663e0178728b6618064743a737f72889f014787e.tar.gz
mailman2-663e0178728b6618064743a737f72889f014787e.tar.xz
mailman2-663e0178728b6618064743a737f72889f014787e.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
index dceb3d00..902c1fdd 100644
--- a/Mailman/SecurityManager.py
+++ b/Mailman/SecurityManager.py
@@ -245,8 +245,13 @@ class SecurityManager:
         c[key] = binascii.hexlify(marshal.dumps((issued, mac)))
         # The path to all Mailman stuff, minus the scheme and host,
         # i.e. usually the string `/mailman'
-        path = urlparse(self.web_page_url)[2]
+        parsed = urlparse(self.web_page_url)
+        path = parsed.path
         c[key]['path'] = path
+        # Make sure to set the 'secure' flag on the cookie if mailman is
+        # accessed by an https url.
+        if parsed.scheme == 'https':
+            c[key]['secure'] = True
         # We use session cookies, so don't set `expires' or `max-age' keys.
         # Set the RFC 2109 required header.
         c[key]['version'] = 1
author	Mark Sapiro <msapiro@value.net>	2011-04-25 15:18:56 -0700
committer	Mark Sapiro <msapiro@value.net>	2011-04-25 15:18:56 -0700
commit	663e0178728b6618064743a737f72889f014787e (patch)
tree	3b479b226d4b3315602e96a9c4452b66cf2b564b /Mailman
parent	d994cc918097ea2ce791657ff8d6b8aef8b583f4 (diff)
download	mailman2-663e0178728b6618064743a737f72889f014787e.tar.gz mailman2-663e0178728b6618064743a737f72889f014787e.tar.xz mailman2-663e0178728b6618064743a737f72889f014787e.zip