[Mailman-Developers] Cookie security hole in admin interface

[Harald Meland]

[Gerhard Gonter]

> Harald Meland writes:
> > As the extra complexity added by having to save session state on the
> > server side (i.e. have Mailman keep track of session IDs) is rather
> > large, and [...]
> 
> In a local CGI application, we are storing cookies in an LDAP server
> which would be an excellent supplement for Mailman anyway.

True -- I was only saying that for fixing the hole, such a major job
would take too much time.  For post-1.0 LDAP support might at some
time be nice (although it would have to be a purely optional thing, of
course).

> User database and some other things might be stored there.  I toyed
> around with that idea in conjunction with our old Listprocessor but
> gave up on that because the Listprocessor is such a mess.

Maybe generalizing the interface for storing state in Mailman is
something to think about.  If we had such a thing, we could have a
"marshal-dump to/from local file" subclass, an "LDAP-query" subclass,
and so on...

I think many of the other things we have put off until after 1.0 will
have priority, though.
-- 
Harald