[Mailman-Developers] Hashing in private.py
Andrew M. Kuchling
akuchlin@cnri.reston.va.us
Tue, 1 Dec 1998 11:03:49 -0500 (EST)
I just noticed that the token value used in private.py is just
hash(list_name). A simple improvement is to change it to hash(SECRET
+ list_name) and then change the value of SECRET in private.py. An
even better solution would be to do an MD5 hash of SECRET + list_name,
but is it OK to assume that the md5 module is present?)
(I haven't done a patch for md5 support; let me know if I should.)
Also, since setting an archive to private doesn't seem to
change the directory where it's archived, this means you have to
configure the Web server accordingly. This should be documented
somewhere; is it?
--
A.M. Kuchling http://starship.skyport.net/crew/amk/
"All we know for sure is that we don't know anything for sure."
"That is a particularly foolish thing to say, John Constantine. Light and
darkness, life and death. These things are eternally certain."
-- John Constantine and Dr Occult, in BOOKS OF MAGIC #1
*** private.py~ Mon Oct 19 16:14:54 1998
--- private.py Tue Dec 1 11:00:06 1998
***************
*** 98,102 ****
c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
if c.has_key(list_name):
! if c[list_name].value == `hash(list_name)`:
return 1
# No corresponding cookie. OK, then check for username, password
--- 98,102 ----
c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
if c.has_key(list_name):
! if c[list_name].value == `hash(SECRET + list_name)`:
return 1
# No corresponding cookie. OK, then check for username, password
***************
*** 129,133 ****
return 0
! token = `hash(list_name)`
c = Cookie.Cookie()
c[list_name] = token
--- 129,133 ----
return 0
! token = `hash(SECRET + list_name)`
c = Cookie.Cookie()
c[list_name] = token