diff options
| author | bwarsaw | 2002-10-08 18:35:13 +0000 |
|---|---|---|
| committer | bwarsaw | 2002-10-08 18:35:13 +0000 |
| commit | 6e07a48a2066819fbbdae02e05b0575d297cc5c0 (patch) | |
| tree | de840c570b32c3ef265c8d5ec3e5a4bf61929cfb | |
| parent | 23caba001a8ec6af226b380f9ccc39041e6e79e1 (diff) | |
| download | mailman-6e07a48a2066819fbbdae02e05b0575d297cc5c0.tar.gz mailman-6e07a48a2066819fbbdae02e05b0575d297cc5c0.tar.zst mailman-6e07a48a2066819fbbdae02e05b0575d297cc5c0.zip | |
process(): I really could have sworn this was already there, but
apparently not. If the first non-whitespace line of the first
text/plain subpart has an Approved or Approve header, it's checked for
the admin password, but /only/ if there's no real Approved or Approve
header in the message (don't use both!).
Diffstat (limited to '')
| -rw-r--r-- | Mailman/Handlers/Approve.py | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/Mailman/Handlers/Approve.py b/Mailman/Handlers/Approve.py index 5f4626c81..9876736de 100644 --- a/Mailman/Handlers/Approve.py +++ b/Mailman/Handlers/Approve.py @@ -23,9 +23,13 @@ not tested by this module. """ +from email.Iterators import typed_subpart_iterator + from Mailman import mm_cfg from Mailman import Errors +NL = '\n' + def process(mlist, msg, msgdata): @@ -35,12 +39,34 @@ def process(mlist, msg, msgdata): # TBD: we may want to further filter Usenet messages, so the test # above may not be entirely correct. return - # See if the message has an Approved: or Approve: header with a valid - # list-moderator, list-admin. We are specifically /not/ allowing the site - # admins password to work here because we want to discourage the practice - # of sending the site admin password through email in the clear. + # See if the message has an Approved or Approve header with a valid + # list-moderator, list-admin. Also look at the first non-whitespace line + # in the file to see if it looks like an Approved header. We are + # specifically /not/ allowing the site admins password to work here + # because we want to discourage the practice of sending the site admin + # password through email in the clear. missing = [] passwd = msg.get('approved', msg.get('approve', missing)) + if passwd is missing: + # Find the first text/plain part in the message + part = None + for part in typed_subpart_iterator(msg, 'text', 'plain'): + break + if part is not None: + lines = part.get_payload().splitlines() + for lineno, line in zip(range(len(lines)), lines): + if line.strip(): + break + i = line.find(':') + if i >= 0: + name = line[:i] + value = line[i+1:] + if name.lower() in ('approve', 'approved'): + passwd = value.lstrip() + # Now strip the first line from the payload so the + # password doesn't leak. + del lines[lineno] + part.set_payload(NL.join(lines[1:])) if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin), passwd): |