[Mailman-Users] Cookie patch?

barry at python.org barry at python.org
Fri Jan 31 07:40:05 CET 2003 

For folks having trouble with interoperability of Mailman 2.0 and 2.1
cookies, could you please try the following patch?

-Barry

-------------------- snip snip --------------------
Index: SecurityManager.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/SecurityManager.py,v
retrieving revision 2.20
diff -u -r2.20 SecurityManager.py
--- SecurityManager.py	2 Dec 2002 14:03:45 -0000	2.20
+++ SecurityManager.py	31 Jan 2003 06:38:47 -0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998,1999,2000,2001,2002 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -47,11 +47,12 @@
 # also relies on the security of SHA1.
 
 import os
-import time
+import re
 import sha
+import time
+import Cookie
 import marshal
 import binascii
-import Cookie
 from types import StringType, TupleType
 from urlparse import urlparse
 
@@ -269,14 +270,12 @@
         cookiedata = os.environ.get('HTTP_COOKIE')
         if not cookiedata:
             return 0
-        # Treat the cookie data as simple strings, and do application level
-        # decoding as necessary.  By using SimpleCookie, we prevent any kind
-        # of security breach due to untrusted cookie data being unpickled
-        # (which is quite unsafe).
-        try:
-            c = Cookie.SimpleCookie(cookiedata)
-        except Cookie.CookieError:
-            return 0
+        # We can't use the Cookie module here because it isn't liberal in what
+        # it accepts.  Feed it a MM2.0 cookie along with a MM2.1 cookie and
+        # you get a CookieError. :(.  All we care about is accessing the
+        # cookie data via getitem, so we'll use our own parser, which returns
+        # a dictionary.
+        c = parsecookie(cookiedata)
         # If the user was not supplied, but the authcontext is AuthUser, we
         # can try to glean the user address from the cookie key.  There may be
         # more than one matching key (if the user has multiple accounts
@@ -316,7 +315,7 @@
         # simply request reauthorization, resulting in a new cookie being
         # returned to the client.
         try:
-            data = marshal.loads(binascii.unhexlify(c[key].value))
+            data = marshal.loads(binascii.unhexlify(c[key]))
             issued, received_mac = data
         except (EOFError, ValueError, TypeError, KeyError):
             return 0
@@ -331,3 +330,14 @@
             return 0
         # Authenticated!
         return 1
+
+
+
+splitter = re.compile(';\s*')
+
+def parsecookie(s):
+    c = {}
+    for p in splitter.split(s):
+        k, v = p.split('=')
+        c[k] = v
+    return c

More information about the Mailman-Users mailing list