diff options
| -rwxr-xr-x | cgi/admin | 39 |
1 files changed, 26 insertions, 13 deletions
@@ -21,7 +21,7 @@ To run stand-alone for debugging, set env var PATH_INFO to name of list and, optionally, options category.""" -__version__ = "$Revision: 635 $" +__version__ = "$Revision: 638 $" import sys import os, cgi, string, crypt, types, time @@ -73,25 +73,38 @@ LOGIN_PAGE = """ # " <- icky emacs font-lock bug workaround -def isAuthenticated(list, password=None): +SECRET="monty" + +def isAuthenticated(list, password=None, SECRET="SECRET"): + import base64, md5 if password is not None: # explicit login - try: + try: list.ConfirmAdminPassword(password) - except mm_err.MMBadPasswordError: + except mm_err.MMBadPasswordError: AddErrorMessage(doc, 'Error: Incorrect admin password.') return 0 - else: + token = md5.new(SECRET + list_name + SECRET).digest() + token = base64.encodestring(token) + token = string.strip(token) c = Cookie.Cookie() - c[list_name] = list.password # its crypted so this should be ok - c[list_name]['expires'] = mm_cfg.ADMIN_COOKIE_LIFE - c[list_name]["path"] = "/mailman/" + list.GetScriptURL("admin") - print c # Output the cookie - + cookie_key = list_name + "-admin" + c[cookie_key] = token + c[cookie_key]['expires'] = mm_cfg.ADMIN_COOKIE_LIFE + path = list.GetScriptURL("admin") + path = path[string.find(path, "://") + 3:] + path = path[string.find(path, "/"):] + c[cookie_key]["path"] = path + print c # Output the cookie return 1 if os.environ.has_key('HTTP_COOKIE'): - c = Cookie.Cookie( os.environ['HTTP_COOKIE'] ) - if c.has_key(list_name): - return (c[list_name].value == list.password) + c = Cookie.Cookie( os.environ['HTTP_COOKIE'] ) + if c.has_key(list_name + "-admin"): + inp = base64.decodestring(c[list_name + "-admin"].value) + check = md5.new(SECRET+list_name+SECRET).digest() + if inp == check: + return 1 + else: + return 0 return 0 |