1 files changed, 9 insertions, 12 deletions

diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
index 9950600eb..9d62bef4b 100644
--- a/Mailman/SecurityManager.py
+++ b/Mailman/SecurityManager.py
@@ -52,15 +52,10 @@ import time
 import sha
 import marshal
 import binascii
+import Cookie
 from types import StringType, TupleType
 from urlparse import urlparse
 
-# Cookie module should treat our cookie data as simple strings.  We'll do
-# application level decoding as necessary.  By using SimpleCookie, we prevent
-# any kind of security breach due to untrusted cookie data being unpickled
-# (which is quite unsafe).
-from Cookie import SimpleCookie as Cookie
-
 try:
     import crypt
 except ImportError:
@@ -224,10 +219,8 @@ class SecurityManager:
         issued = int(time.time())
         # Get a digest of the secret, plus other information.
         mac = sha.new(secret + `issued`).hexdigest()
-        # Create the cookie object.  The way the cookie module converts
-        # non-strings to pickles can cause problems if the resulting string
-        # needs to be quoted.  So we'll do the conversion ourselves.
-        c = Cookie()
+        # Create the cookie object.
+        c = Cookie.SimpleCookie()
         c[key] = binascii.hexlify(marshal.dumps((issued, mac)))
         # The path to all Mailman stuff, minus the scheme and host,
         # i.e. usually the string `/mailman'
@@ -244,7 +237,7 @@ class SecurityManager:
         # Logout of the session by zapping the cookie.  For safety both set
         # max-age=0 (as per RFC2109) and set the cookie data to the empty
         # string.
-        c = Cookie()
+        c = Cookie.SimpleCookie()
         c[key] = ''
         # The path to all Mailman stuff, minus the scheme and host,
         # i.e. usually the string `/mailman'
@@ -266,7 +259,11 @@ class SecurityManager:
         cookiedata = os.environ.get('HTTP_COOKIE')
         if not cookiedata:
             return 0
-        c = Cookie(cookiedata)
+        # Treat the cookie data as simple strings, and do application level
+        # decoding as necessary.  By using SimpleCookie, we prevent any kind
+        # of security breach due to untrusted cookie data being unpickled
+        # (which is quite unsafe).
+        c = Cookie.SimpleCookie(cookiedata)
         # If the user was not supplied, but the authcontext is AuthUser, we
         # can try to glean the user address from the cookie key.  There may be
         # more than one matching key (if the user has multiple accounts