[Bug 871415] Re: "Approved:" password not stripped when list in BCC
Mark Sapiro
mark at msapiro.net
Tue Oct 11 18:59:21 CEST 2011
*** This bug is a duplicate of bug 266220 ***
https://bugs.launchpad.net/bugs/266220
This is a known issue. We remove the Approved: <password> text from any
part in which we can find it, but we can't deal with all pathological
HTML renderings, so this is only best effort, not a guarantee. That is
why we strongly recommend using a true header rather than the first body
line, but you probably can't do that with the gmail web client either.
Note that in Mailman 2.1.15, there will be a 'poster' password that is
only for pre-approving posts, thus minimizing the consequences of
leaking the password as you don't have to use the admin or moderator
password. See <https://bugs.launchpad.net/mailman/+bug/770581>.
If you post an excerpt of the exact HTML from which removal failed (you
can mung the password) to the original bug
<https://bugs.launchpad.net/mailman/+bug/266220>, I'll try to recognize
that case. Note that the current code looks for a match of the
"(X-)Approve(d): password" string it found in the plain text, but with
any combination of spaces, \xA0 and between the : and the
password. It will not find a match if there is a newline inserted, but
it does decode base64 and quoted-printable HTML parts before looking.
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/871415
Title:
"Approved:" password not stripped when list in BCC
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/871415/+subscriptions
More information about the Mailman-coders
mailing list