Changes to fix the CGI cookie security flaw reported by John Morton.

SecurityManager: New functions MakeCookie() and CheckCookie().  These
  functions work with cookies containing cookie creation and expire
  time, the client's IP number, and a checksum hash of these values as
  well as a secret (the lists (encrypted) admin password).
admin.py, admindb.py and private.py: isAuthenticated now uses these
  new cookie functions.

1 files changed, 7 insertions, 10 deletions

diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 0fbdcede0..e46879371 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -32,9 +32,6 @@ import Mailman.mm_cfg
 LogStdErr("error", "private")
 
 
-
-SECRET = "secret"  # XXX used for hashing
-
 PAGE = '''
 <html>
 <head>
@@ -82,10 +79,15 @@ def GetListobj(list_name):
     return _list
 
 def isAuthenticated(list_name):
+    try:
+        listobj = GetListobj(list_name)
+    except Errors.MMUnknownListError:
+        print "\n<H3>List", repr(list_name), "not found.</h3>"
+        raise SystemExit
     if os.environ.has_key('HTTP_COOKIE'):
 	c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
 	if c.has_key(list_name):
-            if c[list_name].value == `hash(list_name)`:
+            if listobj.CheckCookie(c[list_name].value):
                 return 1
     # No corresponding cookie.  OK, then check for username, password
     # CGI variables 
@@ -108,17 +110,12 @@ def isAuthenticated(list_name):
     global login_attempted
     login_attempted=1
     try:
-        listobj = GetListobj(list_name)
-    except Errors.MMUnknownListError:
-        print "\n<H3>List", repr(list_name), "not found.</h3>"
-        raise SystemExit
-    try:
 	listobj.ConfirmUserPassword( username, password)
     except (Errors.MMBadUserError, Errors.MMBadPasswordError,
             Errors.MMNotAMemberError): 
 	return 0
 
-    token = `hash(list_name)`
+    token = listobj.MakeCookie()
     c = Cookie.Cookie()
     c[list_name] = token
     print c				# Output the cookie