1 files changed, 30 insertions, 4 deletions

diff --git a/Mailman/Handlers/Approve.py b/Mailman/Handlers/Approve.py
index 5f4626c81..9876736de 100644
--- a/Mailman/Handlers/Approve.py
+++ b/Mailman/Handlers/Approve.py
@@ -23,9 +23,13 @@ not tested by this module.
 
 """
 
+from email.Iterators import typed_subpart_iterator
+
 from Mailman import mm_cfg
 from Mailman import Errors
 
+NL = '\n'
+
 
 
 def process(mlist, msg, msgdata):
@@ -35,12 +39,34 @@ def process(mlist, msg, msgdata):
         # TBD: we may want to further filter Usenet messages, so the test
         # above may not be entirely correct.
         return
-    # See if the message has an Approved: or Approve: header with a valid
-    # list-moderator, list-admin.  We are specifically /not/ allowing the site
-    # admins password to work here because we want to discourage the practice
-    # of sending the site admin password through email in the clear.
+    # See if the message has an Approved or Approve header with a valid
+    # list-moderator, list-admin.  Also look at the first non-whitespace line
+    # in the file to see if it looks like an Approved header.  We are
+    # specifically /not/ allowing the site admins password to work here
+    # because we want to discourage the practice of sending the site admin
+    # password through email in the clear.
     missing = []
     passwd = msg.get('approved', msg.get('approve', missing))
+    if passwd is missing:
+        # Find the first text/plain part in the message
+        part = None
+        for part in typed_subpart_iterator(msg, 'text', 'plain'):
+            break
+        if part is not None:
+            lines = part.get_payload().splitlines()
+            for lineno, line in zip(range(len(lines)), lines):
+                if line.strip():
+                    break
+            i = line.find(':')
+            if i >= 0:
+                name = line[:i]
+                value = line[i+1:]
+                if name.lower() in ('approve', 'approved'):
+                    passwd = value.lstrip()
+                    # Now strip the first line from the payload so the
+                    # password doesn't leak.
+                    del lines[lineno]
+                    part.set_payload(NL.join(lines[1:]))
     if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListModerator,
                                                      mm_cfg.AuthListAdmin),
                                                     passwd):