From ceb88caaee06806576bbaab2a4a313d9e7823d07 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Thu, 3 Sep 2009 11:12:06 -0700
Subject: Inadvertently setting a null site or list password allowed access to
 a list's web admin interface without authentication.  Fixed by not accepting
 null passwords.

---
 Mailman/SecurityManager.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'Mailman')

diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
index fc2ffd92..dceb3d00 100644
--- a/Mailman/SecurityManager.py
+++ b/Mailman/SecurityManager.py
@@ -137,6 +137,9 @@ class SecurityManager:
         #
         # Return the authcontext from the argument sequence that matches the
         # response, or UnAuthorized.
+        if not response:
+            # Don't authenticate null passwords
+            return mm_cfg.UnAuthorized
         for ac in authcontexts:
             if ac == mm_cfg.AuthCreator:
                 ok = Utils.check_global_password(response, siteadmin=0)
-- 
cgit v1.2.3