[Mailman-Developers]
[ mailman-Bugs-664466 ] 2.0 cookies break 2.1 web auth
SourceForge.net
noreply at sourceforge.net
Wed Jan 8 08:30:33 EST 2003
Bugs item #664466, was opened at 2003-01-08 11:30
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=664466&group_id=103
Category: Web/CGI
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Bryan Fullerton (fehwalker)
Assigned to: Nobody/Anonymous (nobody)
Summary: 2.0 cookies break 2.1 web auth
Initial Comment:
(as discussed on mailman-users)
If there are *any* mm2.0 cookies in the URI-space mm2.1 looks in, the following code will always raise a Cookie.CookieException and return 0.
# Treat the cookie data as simple strings, and do application level
# decoding as necessary. By using SimpleCookie, we prevent any kind
# of security breach due to untrusted cookie data being unpickled
# (which is quite unsafe).
try:
c = Cookie.SimpleCookie(cookiedata)
except Cookie.CookieError:
return 0
If python's Cookie code (or at least SimpleCookie) doesn't like cookies with :'s in them that'd explain it.
This is rather a problem for anyone thinking they could run both mm2.0 and mm2.1 mapped into the same URI-space. Simply put, you can't (without re-auth'ing with every action in 2.1 lists), unless the mm2.1 code is rewritten to handle that exception better. Or unless you nuke all your cookies after every use of a 2.0 list (not just logout - in my testing that doesn't actually remove the cookie, just the cookie's contents).
The good news is that this should be no problem once everything is moved to 2.1.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=664466&group_id=103
More information about the Mailman-Developers
mailing list