[Mailman-Developers] Secure admin pages

Dan Mick Dan Mick <Dan.Mick@West.Sun.COM>
Tue, 14 Dec 1999 21:45:53 -0800 (PST) 

We set up an SSL arrangement so our admin password isn't traversing
the net in clear text, but were temporarily thwarted by the
fact that the admin CGI scripts sometimes use Absolute paths,
which didn't include the https://.  I made some hacks; comments?
(Does this look right, Barry et. al.?)

(This is to v1.1; if it looks good, I'll put it in CVS and put it
back)

How does the putback process usually work?  Does someone review code,
or do we have a "holding area" that's protected somehow, or?...

Anyway, here are context diffs:

===================================================================
RCS file: RCS/admin.py,v
retrieving revision 1.1
diff -c -r1.1 admin.py
*** admin.py    1999/12/15 05:29:10     1.1
--- admin.py    1999/12/15 05:29:50
***************
*** 534,540 ****
          buttons = []
          for ci in chunk_indices:
              start, end = chunks[ci][0], chunks[ci][-1]
!           url = lst.GetAbsoluteScriptURL('admin')
              buttons.append("<a href=%s/members?chunk=%d> from %s to %s </a>"
                             % ( url,  ci, start, end))
          buttons = apply(UnorderedList, tuple(buttons))
--- 534,540 ----
          buttons = []
          for ci in chunk_indices:
              start, end = chunks[ci][0], chunks[ci][-1]
!           url = lst.GetRelativeScriptURL('admin')
              buttons.append("<a href=%s/members?chunk=%d> from %s to %s </a>"
                             % ( url,  ci, start, end))
          buttons = apply(UnorderedList, tuple(buttons))
***************
*** 544,550 ****
          footer = "<p>"
      for member in all:
          mtext = '<a href="%s">%s</a>' % (
!             lst.GetAbsoluteOptionsURL(member, obscured=1),
              lst.GetUserSubscribedAddress(member))
          cells = [mtext + "<input type=hidden name=user value=%s>" % (member),
                   Center(CheckBox(member + "_subscribed", "on", 1).Format())]
--- 544,550 ----
          footer = "<p>"
      for member in all:
          mtext = '<a href="%s">%s</a>' % (
!             lst.GetRelativeOptionsURL(member, obscured=1),
              lst.GetUserSubscribedAddress(member))
          cells = [mtext + "<input type=hidden name=user value=%s>" % (member),
                   Center(CheckBox(member + "_subscribed", "on", 1).Format())]

===================================================================
RCS file: RCS/MailList.py,v
retrieving revision 1.1
diff -c -r1.1 MailList.py
*** MailList.py 1999/12/15 05:30:09     1.1
--- MailList.py 1999/12/15 05:31:01
***************
*** 194,199 ****
--- 194,209 ----
              treated = addr
          return "%s/%s" % (options, treated)
  
+     def GetRelativeOptionsURL(self, addr, obscured=0):
+         # address could come in case-preserved
+         addr = string.lower(addr)
+       options = self.GetRelativeScriptURL('options')
+         if obscured:
+             treated = Utils.ObscureEmail(addr, for_text=0)
+         else:
+             treated = addr
+         return "%s/%s" % (options, treated)
+ 
      def GetUserOption(self, user, option):
          """Return user's setting for option, defaulting to 0 if no 
settings."""
          user = self.GetUserCanonicalAddress(user)