diff options
| author | bwarsaw | 1999-01-08 19:22:51 +0000 |
|---|---|---|
| committer | bwarsaw | 1999-01-08 19:22:51 +0000 |
| commit | 23a2f7817dfd9903d664cf96d0aeab78677eaf66 (patch) | |
| tree | fb946c88cc72e1ad426363d994a79dc5232c7821 /Mailman/Cgi/admin.py | |
| parent | b9461fcfb3564f8a708a9daafda98273a16bf4d1 (diff) | |
| download | mailman-23a2f7817dfd9903d664cf96d0aeab78677eaf66.tar.gz mailman-23a2f7817dfd9903d664cf96d0aeab78677eaf66.tar.zst mailman-23a2f7817dfd9903d664cf96d0aeab78677eaf66.zip | |
main(): Kludge-around for accessing variable details when cookies are
disabled. The problem: because cookies are disabled, the admin has to
authenticate for each access. We can't change this because otherwise
option values could leak.
So when the admin fills in the password and clicks `let me in...', the
form gets POSTed, and even those the variable to get details on is
given in the form's ACTION, cgi.py ignores any QUERY_STRING on a
POST. Maybe cgi.py should be fixed? In the meantime, we just watch
for the FieldStorage having a `request_login' field and a QUERY_STRING
environment variable. In that case, we manually parse out the query
string and use its value if available.
Diffstat (limited to 'Mailman/Cgi/admin.py')
| -rw-r--r-- | Mailman/Cgi/admin.py | 36 |
1 files changed, 23 insertions, 13 deletions
diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py index 75bed964d..55aacb603 100644 --- a/Mailman/Cgi/admin.py +++ b/Mailman/Cgi/admin.py @@ -130,19 +130,29 @@ def main(): print text return - if len(cgi_data.keys()): - if cgi_data.has_key('VARHELP'): - FormatOptionHelp(doc, cgi_data['VARHELP'].value, lst) - print doc.Format(bgcolor="#ffffff") - return - if (cgi_data.has_key('bounce_matching_headers')): - try: - pairs = lst.parse_matching_header_opt() - except Errors.MMBadConfigError, line: - AddErrorMessage(doc, - 'Warning: bad matching-header line' - ' (does it have the colon?)<ul> %s </ul>', - line) + # is the request for variable details? + varhelp = None + if cgi_data.has_key('VARHELP'): + varhelp = cgi_data['VARHELP'].value + elif cgi_data.has_key('request_login') and \ + os.environ.has_key('QUERY_STRING'): + # POST methods, even if their actions have a query string, don't + # get put into FieldStorage's keys :-( + qs = cgi.parse_qs(os.environ['QUERY_STRING']) + varhelp = qs.get('VARHELP')[0] + if varhelp: + FormatOptionHelp(doc, varhelp, lst) + print doc.Format(bgcolor="#ffffff") + return + + if cgi_data.has_key('bounce_matching_headers'): + try: + pairs = lst.parse_matching_header_opt() + except Errors.MMBadConfigError, line: + AddErrorMessage(doc, + 'Warning: bad matching-header line' + ' (does it have the colon?)<ul> %s </ul>', + line) if not lst.digestable and len(lst.GetDigestMembers()): AddErrorMessage(doc, |