diff options
| author | bwarsaw | 2002-01-11 07:13:29 +0000 |
|---|---|---|
| committer | bwarsaw | 2002-01-11 07:13:29 +0000 |
| commit | 09034ae1ae1c69a31c8bf73f42963b415757fdda (patch) | |
| tree | 686207e676b8f105cf161c93f53adaf05d2d14d6 | |
| parent | 970efedb36d9c9e464158af568f09ef8a56acdea (diff) | |
| download | mailman-09034ae1ae1c69a31c8bf73f42963b415757fdda.tar.gz mailman-09034ae1ae1c69a31c8bf73f42963b415757fdda.tar.zst mailman-09034ae1ae1c69a31c8bf73f42963b415757fdda.zip | |
| -rw-r--r-- | Mailman/SecurityManager.py | 21 |
1 files changed, 9 insertions, 12 deletions
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py index 9950600eb..9d62bef4b 100644 --- a/Mailman/SecurityManager.py +++ b/Mailman/SecurityManager.py @@ -52,15 +52,10 @@ import time import sha import marshal import binascii +import Cookie from types import StringType, TupleType from urlparse import urlparse -# Cookie module should treat our cookie data as simple strings. We'll do -# application level decoding as necessary. By using SimpleCookie, we prevent -# any kind of security breach due to untrusted cookie data being unpickled -# (which is quite unsafe). -from Cookie import SimpleCookie as Cookie - try: import crypt except ImportError: @@ -224,10 +219,8 @@ class SecurityManager: issued = int(time.time()) # Get a digest of the secret, plus other information. mac = sha.new(secret + `issued`).hexdigest() - # Create the cookie object. The way the cookie module converts - # non-strings to pickles can cause problems if the resulting string - # needs to be quoted. So we'll do the conversion ourselves. - c = Cookie() + # Create the cookie object. + c = Cookie.SimpleCookie() c[key] = binascii.hexlify(marshal.dumps((issued, mac))) # The path to all Mailman stuff, minus the scheme and host, # i.e. usually the string `/mailman' @@ -244,7 +237,7 @@ class SecurityManager: # Logout of the session by zapping the cookie. For safety both set # max-age=0 (as per RFC2109) and set the cookie data to the empty # string. - c = Cookie() + c = Cookie.SimpleCookie() c[key] = '' # The path to all Mailman stuff, minus the scheme and host, # i.e. usually the string `/mailman' @@ -266,7 +259,11 @@ class SecurityManager: cookiedata = os.environ.get('HTTP_COOKIE') if not cookiedata: return 0 - c = Cookie(cookiedata) + # Treat the cookie data as simple strings, and do application level + # decoding as necessary. By using SimpleCookie, we prevent any kind + # of security breach due to untrusted cookie data being unpickled + # (which is quite unsafe). + c = Cookie.SimpleCookie(cookiedata) # If the user was not supplied, but the authcontext is AuthUser, we # can try to glean the user address from the cookie key. There may be # more than one matching key (if the user has multiple accounts |