| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
notifications.
wsgi_app.py ... URI normalization by stripping trailing slash. We need
Special care for 'private'.
Strip dot only components in the PATH_INFO for sanitization.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and some of the admindb.py links. There may still be breakage in other parts
of the interface and I haven't gone back to verify that traditional CGI still
works.
Changes:
- Add wsgiref-0.1.2-py2.4.egg so that we can still do WSGI in Python 2.4,
which doesn't come with wsgiref. Of course this means we /also/ have to add
setuptools-0.5c3 because eggs require setuptools.
- Style cleanups in HTTPRunner.py and wsgi_app.py. Also, use cStringIO
instead of StringIO.
- All internal links within the listinfo and admin pages are (or at least
should be ;) relative now. This should make other things better, such as
running Mailman over https or alternative ports. It does kind of mean that
web_page_url is obsolete, but I haven't looked at whether we can completely
eradicate it.
- ValidateEmail(): Use ' ' in s instead of s.count(' ') > 0.
- GetPathPieces(): When path is false, return the empty list instead of None,
so we can still len() it.
- ScriptURL(): Much simpler. To support relative urls as the default, we
change the API so that it only takes a 'target' argument (i.e. the script we
want to link to). It no longer takes 'absolute' or 'web_page_url', and it
constructs its link from GetPathPieces(), the target, and the cgi extension.
- GetRequestURI(): code style updates.
- Mailman/bin/show_config.py: De-DOS-line-ending-ification.
- export.py: A few modifications, although this is likely still not final (I'm
still working on the import script). First, for <option> elements, don't
put the value in an attribute, put it in the text body of the element.
Second, put the list <option> tags in a <configuration> element. Third, put
the preferred language on an <option> tag with a 'preferred_language'
name attribute value.
- SecurityManager: Make sure that MakeCookie() and ZapCookie() use the same
'path' cookie value by refactoring that into a separate method. That method
now returns just the SCRIPT_NAME and the full listname. web_page_url
doesn't enter into it.
- loginit.py: Add a 'debug' logger since it's just too useful to have :)
- admin.py: Remove the extra / right before the query string in ?VARHELP
urls. That extra / turns out to be problematic with the relative url scheme
we're using now.
- Auth.py: whitespace normalization and copyright years update. Also, remove
a couple of unnecessary imports. Also, make sure that the actionurl is
relative.
- create.py: Typo.
- private.py: mm_cfg -> config object
- In MailList.py: GetScriptURL() can be written in terms of Utils.ScriptURL()
now.
|
| |
|
|
|
|
|
|
| |
Add: HTTPRunner.py ... Start/Restart/Stop HTTP Server under Runner framework.
wsgi_app.py ... WSGI to CGI wrapper. Mostly taken from scripts/driver.
loginit.py ... Add http log. Time stamp is duplicated :-(
Defaults.py ... HTTP_HOST and HTTP_PORT.
Note that WSGI server should be used under reverse proxy environment.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
traces of our crufty old Syslog. Most of this work was purely mechanical,
except for:
1) Initializing the loggers. For this, there's a new module
Mailman/loginit.py (yes all modules from now on will use PEP 8
names). We can't call this 'logging.py' because that will
interfere with importing the stdlib module of the same name (can
you say Python 2.5 and absolute imports?).
If you want to write log messages both to the log file and to
stderr, pass True to loginit.initialize(). This will turn on
propagation of log messages to the parent 'mailman' logger, which
is set up to print to stderr. This is how bin/qrunner works when
not running as a subprocess of mailmanctl.
2) The driver script. I had to untwist the StampedLogger stuff and
implement differently printing exceptions and such to log/error
because standard logging objects don't have a write() method. So
we write to a cStringIO and then pass that to the logger.
3) SMTPDirect.py because of the configurability of the log messages.
This required changing SafeDict into a dict subclass (which is
better than using UserDicts anyway -- yay Python 2.3!). It's
probably still possible to flummox things up if you change the
name of the loggers in the SMTP_LOG_* variables in mm_cfg.py.
However, the worst you can do is cause output to go to stderr and
not go to a log file.
Note too that all entry points into the Mailman system must call
Mailman.loginit.initialize() or the log output will go to stderr
(which may occasionally be what you want). Currently all CGIs and
qrunners should be working properly.
I wish I could have tested all code paths that touch the logger, but
that's infeasible. I have tested this, but it's possible that there
were some mistakes in the translation.
- Mailman.Bouncers.BounceAPI.Stop is a singleton, but not a class
instance any more.
- True/False code cleanup, PEP 8 import restructuring, whitespace
normalization, and copyright year updates, as appropriate.
|
| | |
|
| | |
|
| |
|
|
| |
Add error response for ./ and ../ in URL
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
which does not accept the strict flag to mimetypes.guess_type().
main(): If guess_type() returns None, use text/html so that the
private archive summary page displays correctly.
|
| |
|
|
|
|
| |
this better.
Whitespace normalization.
|
| |
|
|
|
| |
Also, use Utils.websafe() consistently throughout, instead of the
inconsistent calls to cgi.escape().
|
| |
|
|
| |
converted to the Site module abstractions.
|
| |
|
|
|
|
|
|
|
|
| |
Fixes to prevent cross-site scripting exploits. See
http://www.cert.org/advisories/CA-2000-02.html
Reported by zeno@cgisecurity.com
Fix is to cgi.escape() any strings regurgitated from the url back to
the browser in the html response.
|
| | |
|
| |
|
|
| |
GetPreferredLanguage() -> getMemberLanguage()
|
| | |
|
| |
|
|
| |
as translatable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cleanups we could do to this file, but there are other priorities at
the moment.
Cleaned up the imports. Removed login_attemped and _list unused
module globals. i18n setup.
main(): Set the i18n language, first to the server default, then to
the list preferred, once we have a valid list, and to the user's
preferred language once we know that. Updates for new string methods.
Removed a call to IsListInitialized() and use return instead of
sys.exit(0). Better cgidata style. Use new WebAuthenticate()
mechanisms to authenticate the user.
|
| |
|
|
|
| |
argument anymore. Other colors are no longer hardcoded, but taken
from mm_cfg.
|
| |
|
|
|
| |
pass in the MailList object; maketext() digs the preferred language
out of the list object.
|
| |
|
|
|
|
|
|
|
| |
displayed:
- use the private.html template instead of private.txt
- calculate the ACTION attribute via the absolute url back to the
`private' cgi script
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Untabification.
Fix some _() wrappings to use local variables.
Fix the Utils.maketext() calls to pass the language in as a keyword
argument.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
private. Specifically,
main(): Check PATH_INFO and see if the paths is
listname.mbox/listname.mbox, in which case the full archive is being
retrieved. If so, make sure the Content-Type: is text/plain and feed
the whole mbox out to the browser.
|
| |
|
|
|
|
|
|
|
|
|
| |
bomb with tracebacks if PATH_INFO environment variable wasn't defined.
Fixed this by making them all use Utils.GetPathPieces() and "doing
something sensible" when that returned a false value.
Also, edithtml is now hidden behind a login screen, so there's no need
to enter the list password to edit the html. You can't even get to
the list of files to edit unless you've admin authenticated. Closes
SF bug #114091, Jitterbug PR# 24.
|
| |
|
|
| |
SF Bug #110142.
|
| | |
|
| |
|
|
| |
syslog() interface.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
mailing list. In all cases, catch the base exception class
MMListError, and output HTML indicating the specified list doesn't
exist. A more detail message gets printed to logs/error (the str() of
the actual exception details).
Also:
admin.py - Don't catch MMBadConfigError around
mlist.parse_matching_header_opt() since this method doesn't ever
raise that exception. Actually, that exception isn't raised
anywhere in Mailman, so it's been removed.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* New method WebAuthenticate(). Takes up to three keyword arguments:
user-address, password and cookie-suffix. If password is supplied
(and authenticates OK), issue a cookie -- otherwise try to do
authentication based on cookies.
* MakeCookie(): Changed to actually return a finished Cookie object.
Takes one (non-optional) argument; the created cookie's name.
Fixed bug in setting of cookie's path.
* CheckCookie(): Now takes cookie's name as single argument, and can
raise various MMAuthenticationErrors if that cookie doesn't
authenticate OK.
admin.py: Do explicit re-authentication when changing list admin
password.
admin.py, admindb.py and private.py: Removed isAuthenticated()
function -- use MailList.WebAuthenticate() instead. This removed
the need to import Cookie, so now we don't.
|
| |
|
|
|
|
|
|
|
| |
SecurityManager: New functions MakeCookie() and CheckCookie(). These
functions work with cookies containing cookie creation and expire
time, the client's IP number, and a checksum hash of these values as
well as a secret (the lists (encrypted) admin password).
admin.py, admindb.py and private.py: isAuthenticated now uses these
new cookie functions.
|
| | |
|
| |
|
|
|
| |
from PATH_INFO, instead use Utils.GetPathPieces() like every other CGI
script.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
"Here's a patch to private.py which makes it 1) return text/plain as
the content type if the file ends in .txt, and 2) look for
<filename>.gz if <filename> doesn't exist, and uses the gzip
module to read it."
Minimally tested, since I've got Pipermail installed. Doesn't seem
hurt.
|
| |
|
|
|
| |
page and raising SystemExit, which the driver expects - instead of
generating an error that winds up in the error log.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
ROOT is gone.
getListName(): must extract list name differently.
GetListobj(): Interface change! Allow Errors.MMUnknownListError to
propagate up. Returning None is not helpful because this will
generally cause an AttributeError later on, and that just masks the
real error, which is that the list name was not found.
main(): when file isn't found, include the true_filename in the
message (for debugging - shouldn't normally happen).
|
| |
|
|
| |
which contains the installation directory as determined by autoconf.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Original patches are from The Dragon de Monsyne with the following changes:
-added support for private archives as well as public
-added support for archiving daily and weekly
-made archiving happen in real time
-replaced use of pipermail's BSDBDatabase with homegrown python version
-took out the need for DocumentTemplate
here's a listing of changed files and relevant changes:
Makefile.in - added public_html/archives to installdirs
Mailman/Archiver.py - changed ArchiveMail to do real time archiving
Mailman/Defaults.py.in - added archive frequency and and archive url
extension variables
Mailman/MailList.py - changed .Save() to alter perms on public vs. private
archives
Mailman/htmlformat.py - changes directly from The Dragon do Monsyne's patches.
I don't know what they are exactly, but all the cgi's
seem to work fine, so I assume they are OK.
Mailman/versions.py - changes to add archiving based variables back to the list
Mailman/Cgi/private - changed to make it work with default installation and
made background white on login page
src/Makefile.in - changes to make all wrappers setuid mailman:
since various processes may access an archive, and the
archiving mechanism uses "chmod", all archives must be owned
by mailman, so all wrappers need to be owned by and setuid mailman
added files:
Mailman/HyperArch.py - from The Dragon de Monsyne with changes made noted above
Mailman/HyperDatabase.py - the replacement for pipermail.BSDBDatabase
scott
|
| |
|
|
|
|
|
|
|
| |
to be returned, and in fact, valid *and* invalid passwords were being
accepted as sufficient authorization - since before 1.0b5, probably as
of 1.0b4! (At least, since v 1.2 of this file.)
Thanks to greg stein for noticing that invalid passwords were
accepted.
|
| |
|
|
|
| |
checkin) would not compile, causing this script to completely fail -
it should have been tested!
|
