[Mailman-Developers] is_server_owner set to true regardless of value posted
Andrew Stuart
andrew.stuart at supercoders.com.au
Sun Jul 12 07:20:53 CEST 2015
As far as I can tell, when creating users, if the is_server_owner field is provided in the POST data, then it will always be set to true. Is this the intended behaviour? I was trying to create users and explcitly setting it to False and wondering why they were being created as server_owners anyway.
I suppose this is a security issue although I imagine its unlikely any applications are using that field yet. The potential problem I suppose is that in the field there may be installations in which users created via POST have is_server_owner set to true.
See the commands below to see the problem in action:
# DELETE user to make sure its not present
(venv3.4)ubuntu at mail:~/mailmania$ curl -X DELETE --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users/mailmanadmin@example.org
# create user via POST with POSTed field value is_server_owner=anyoldvaluewilldo
(venv3.4)ubuntu at mail:~/mailmania$ curl -X POST --data "email=mailmanadmin at example.org" --data "display_name=displayname" --data "is_server_owner=anyoldvaluewilldo" --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users
# GET user - you can now see that is_server_owner is true
(venv3.4)ubuntu at mail:~/mailmania$ curl --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users/mailmanadmin@example.org
{"display_name": "displayname", "password": "$6$rounds=105489$ToJ.XV3yw0Mvee8r$pbMEE/6e1Xw8PPOunQGX1IL21NmNLrSwl3VFwZNtsoxwCjZ7iWZ.SjDmX7rs9nlM7pglz54GFjB8hmn.rOI.d/", "http_etag": "\"7891a3ea8a2c71a67e738aede9b9d2cfbf438073\"", "user_id": 264084494277271879132250546838180918030, "self_link": "http://localhost:8001/3.0/users/264084494277271879132250546838180918030", "created_on": "2015-07-12T05:08:07.320945", "is_server_owner": true}
# DELETE user to make sure its not present
(venv3.4)ubuntu at mail:~/mailmania$ curl -X DELETE --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users/mailmanadmin@example.org
# create user via POST without any POSTed field value for is_server_owner
(venv3.4)ubuntu at mail:~/mailmania$ curl -X POST --data "email=mailmanadmin at example.org" --data "display_name=displayname" --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users
# GET user - you can now see that is_server_owner is false
(venv3.4)ubuntu at mail:~/mailmania$ curl --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users
{"total_size": 2, "start": 0, "entries": [{"display_name": "Insecure Testuser", "password": "$6$rounds=107421$p9wIIl6zAEHEe5ZC$JH0MhieMJr8URXGsQ5I6zLa3l4whbRsMhjKOntfDlxOrfstxaRvlMgPvuEYU05ptNnSJdSnB43Elw0zAshFux1", "http_etag": "\"6394e37e623cbfa20445201f091c4aabaaa01340\"", "user_id": 309469782534072420914095048754305489000, "self_link": "http://localhost:8001/3.0/users/309469782534072420914095048754305489000", "created_on": "2015-07-12T04:49:17.499529", "is_server_owner": true}, {"display_name": "displayname", "password": "$6$rounds=98938$pOH6NcMh5RN1mNs0$8wUWsaEXVaqiA6z/B2qTXIYVDMVMunzaMmWCL3JmxL/EnknA4A0PFisJZA0VcDOzY0KqiU2sljlBPXuNrEypl.", "http_etag": "\"3c81af299b5b36b104d9c7066fed63273a72bf48\"", "user_id": 176959263898569148772584820722098620353, "self_link": "http://localhost:8001/3.0/users/176959263898569148772584820722098620353", "created_on": "2015-07-12T05:09:12.043209", "is_server_owner": false}], "http_etag": "\"943acca65a65afd2c1c40b6fc1e010b337e1bad6\”"}
More information about the Mailman-Developers
mailing list