From aa8dd12bd7f3c442cdcc702b6bb1d8cabbca7d40 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Mon, 25 Apr 2011 16:52:35 -0700 Subject: A new list poster password has been implemented. This password may only be used in Approved: or X-Approved: headers for pre-approving posts. Using this password for that purpose precludes compromise of a more valuable password sent in plain text email. Bug #770581. --- Mailman/SecurityManager.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'Mailman/SecurityManager.py') diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py index c2f57cc4..5d5acd5b 100644 --- a/Mailman/SecurityManager.py +++ b/Mailman/SecurityManager.py @@ -83,6 +83,7 @@ class SecurityManager: # self.password is really a SecurityManager attribute, but it's set in # MailList.InitVars(). self.mod_password = None + self.post_password = None # Non configurable self.passwords = {} @@ -106,6 +107,9 @@ class SecurityManager: secret = self.getMemberPassword(user) userdata = urllib.quote(Utils.ObscureEmail(user), safe='') key += 'user+%s' % userdata + elif authcontext == mm_cfg.AuthListPoster: + secret = self.post_password + key += 'poster' elif authcontext == mm_cfg.AuthListModerator: secret = self.mod_password key += 'moderator' @@ -200,6 +204,11 @@ class SecurityManager: key, secret = self.AuthContextInfo(ac) if secret and sha_new(response).hexdigest() == secret: return ac + elif ac == mm_cfg.AuthListPoster: + # The list poster password must be sha'd + key, secret = self.AuthContextInfo(ac) + if secret and sha_new(response).hexdigest() == secret: + return ac elif ac == mm_cfg.AuthUser: if user is not None: try: -- cgit v1.2.3