Added Tokio Kikuchi's Cross-site Request Forgery hardening to the admin UI.

author: Mark Sapiro <msapiro@value.net> 2012-02-05 13:19:39 -0800
committer: Mark Sapiro <msapiro@value.net> 2012-02-05 13:19:39 -0800
commit: fdd6141b978cdc0876263d962f996eb88964537b (patch)
tree: 6836790556e26d896b791946fc60df5d0f88ab8a /NEWS
parent: 3c1fe7bcb3c10650cd039c800aa1356886586873 (diff)
download: mailman2-fdd6141b978cdc0876263d962f996eb88964537b.tar.gz
mailman2-fdd6141b978cdc0876263d962f996eb88964537b.tar.xz
mailman2-fdd6141b978cdc0876263d962f996eb88964537b.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 764a4c2d..96d6ff58 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,14 @@ Here is a history of user visible changes to Mailman.
 
     - An XSS vulnerability, CVE-2011-0707, has been fixed.
 
+    - The web admin interface has been hardened against CSRF attacks by adding
+      a hidden, encrypted token with a time stamp to form submissions and not
+      accepting authentication by cookie if the token is missing, invalid or
+      older than the new mm_cfg.py setting FORM_LIFETIME which defaults to one
+      hour.  Posthumous thanks go to Tokio Kikuchi for this implementation
+      which is only one of his many contributions to Mailman prior to his
+      death from cancer on 14 January 2012.
+
   New Features
 
     - Eliminated the list cache from the qrunners.  Indirect self-references
author	Mark Sapiro <msapiro@value.net>	2012-02-05 13:19:39 -0800
committer	Mark Sapiro <msapiro@value.net>	2012-02-05 13:19:39 -0800
commit	fdd6141b978cdc0876263d962f996eb88964537b (patch)
tree	6836790556e26d896b791946fc60df5d0f88ab8a /NEWS
parent	3c1fe7bcb3c10650cd039c800aa1356886586873 (diff)
download	mailman2-fdd6141b978cdc0876263d962f996eb88964537b.tar.gz mailman2-fdd6141b978cdc0876263d962f996eb88964537b.tar.xz mailman2-fdd6141b978cdc0876263d962f996eb88964537b.zip