diff options
| -rw-r--r-- | Mailman/SecurityManager.py | 3 | ||||
| -rw-r--r-- | NEWS | 4 |
2 files changed, 7 insertions, 0 deletions
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py index fc2ffd92..dceb3d00 100644 --- a/Mailman/SecurityManager.py +++ b/Mailman/SecurityManager.py @@ -137,6 +137,9 @@ class SecurityManager: # # Return the authcontext from the argument sequence that matches the # response, or UnAuthorized. + if not response: + # Don't authenticate null passwords + return mm_cfg.UnAuthorized for ac in authcontexts: if ac == mm_cfg.AuthCreator: ok = Utils.check_global_password(response, siteadmin=0) @@ -8,6 +8,10 @@ Here is a history of user visible changes to Mailman. Bug Fixes and other patches + - Inadvertently setting a null site or list password allowed access + to a list's web admin interface without authentication. Fixed by + not accepting null passwords. + - Changed VERP_CONFIRM_REGEXP in Defaults.py to work if the replying MUA folds the To: header and in cases where the list name includes '+'. |