[Mailman-Users] mm2.1 cookie problem?
Bryan Fullerton
bryanf at samurai.com
Wed Jan 8 05:36:22 CET 2003
On Tuesday, January 7, 2003, at 12:15 AM, Barry A. Warsaw wrote:
> BTW, for the hacker inclined, an possibly useful way to debug this is
> to edit SecurityManager.py, the __checkone() method. Stick something
> like this before the first try: line (untested):
>
> syslog('debug', 'key: %s, c[key]: %s, val: %s', key, c[key],
> c[key].value)
>
> then tail logs/debug until you see the problem. Maybe something
> interesting will show up.
I finally had time in the past half hour to dedicate to debugging this
using syslog() thrown in at various places in SecurityManager.py.
The result of that is... we don't even get to __checkone(). If there
are *any* mm2.0 cookies in the URI-space mm2.1 looks in, the following
code will always raise a Cookie.CookieException and return 0.
# Treat the cookie data as simple strings, and do application
level
# decoding as necessary. By using SimpleCookie, we prevent any
kind
# of security breach due to untrusted cookie data being
unpickled
# (which is quite unsafe).
try:
c = Cookie.SimpleCookie(cookiedata)
except Cookie.CookieError:
return 0
If python's Cookie code (or at least SimpleCookie) doesn't like cookies
with :'s in them that'd explain it.
This is rather a problem for anyone thinking they could run both mm2.0
and mm2.1 mapped into the same URI-space. Simply put, you can't
(without re-auth'ing with every action in 2.1 lists), unless the mm2.1
code is rewritten to handle that exception better. Or unless you nuke
all your cookies after every use of a 2.0 list (not just logout - in my
testing that doesn't actually remove the cookie, just the cookie's
contents).
The good news is that this should be no problem once everything is
moved to 2.1.
Bryan
More information about the Mailman-Users
mailing list