Inadvertently setting a null site or list password allowed access

to a list's web admin interface without authentication. Fixed by not accepting null passwords.
author: Mark Sapiro <mark@msapiro.net> 2009-09-03 11:12:06 -0700
committer: Mark Sapiro <mark@msapiro.net> 2009-09-03 11:12:06 -0700
commit: ceb88caaee06806576bbaab2a4a313d9e7823d07 (patch)
tree: 702f957c2f01004481e477805ea2b6449a289ea6 /Mailman
parent: ab93e70f12da510902dffa7a393f5173c2073d6e (diff)
download: mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.tar.gz
mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.tar.xz
mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
index fc2ffd92..dceb3d00 100644
--- a/Mailman/SecurityManager.py
+++ b/Mailman/SecurityManager.py
@@ -137,6 +137,9 @@ class SecurityManager:
         #
         # Return the authcontext from the argument sequence that matches the
         # response, or UnAuthorized.
+        if not response:
+            # Don't authenticate null passwords
+            return mm_cfg.UnAuthorized
         for ac in authcontexts:
             if ac == mm_cfg.AuthCreator:
                 ok = Utils.check_global_password(response, siteadmin=0)
author	Mark Sapiro <mark@msapiro.net>	2009-09-03 11:12:06 -0700
committer	Mark Sapiro <mark@msapiro.net>	2009-09-03 11:12:06 -0700
commit	ceb88caaee06806576bbaab2a4a313d9e7823d07 (patch)
tree	702f957c2f01004481e477805ea2b6449a289ea6 /Mailman
parent	ab93e70f12da510902dffa7a393f5173c2073d6e (diff)
download	mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.tar.gz mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.tar.xz mailman2-ceb88caaee06806576bbaab2a4a313d9e7823d07.zip