Changes to fix the CGI cookie security flaw reported by John Morton.

SecurityManager: New functions MakeCookie() and CheckCookie().  These
  functions work with cookies containing cookie creation and expire
  time, the client's IP number, and a checksum hash of these values as
  well as a secret (the lists (encrypted) admin password).
admin.py, admindb.py and private.py: isAuthenticated now uses these
  new cookie functions.

1 files changed, 2 insertions, 2 deletions

diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py
index 9e875d1f0..73a7b2cd9 100644
--- a/Mailman/Cgi/admin.py
+++ b/Mailman/Cgi/admin.py
@@ -50,7 +50,7 @@ def isAuthenticated(list, password=None, SECRET="SECRET"):
             AddErrorMessage(doc, 'Error: Incorrect admin password.')
             return 0
 
-        token = `hash(list_name)`
+        token = list.MakeCookie()
         c = Cookie.Cookie()
         cookie_key = list_name + "-admin"
         c[cookie_key] = token
@@ -60,7 +60,7 @@ def isAuthenticated(list, password=None, SECRET="SECRET"):
     if os.environ.has_key('HTTP_COOKIE'):
         c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
         if c.has_key(list_name + "-admin"):
-	    if c[list_name + "-admin"].value == `hash(list_name)`:
+            if list.CheckCookie(c[list_name + "-admin"].value):
 		return 1
 	    else:
 		AddErrorMessage(doc, "error decoding authorization cookie")