Traceback in private.py after security patch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Invalid
|
Medium
|
Unassigned |
Bug Description
I applied the patch at
http://
Mailman 2.1.4 installation and restarted the Web
server. The first time I tried to access the archives
for a private list using an email address that's *not*
subscribed to the list, I got the traceback below.
I backed out the patch and restarted the Web server. I
now get the
correct "Authorization failed." message.
Note that for the sake of paranoia I've obfuscated my
email address,
changed the names of private lists, and flipped a few
bits in the
cookie data and remote address below.
-- Roger
---------------
Bug in Mailman version 2.1.4
We're sorry, we hit a bug!
If you would like to help us identify the problem,
please email a copy of this page to the webmaster for
this site with a description of what happened. Thanks!
Traceback:
Traceback (most recent call last):
File "/usr/local/
run_main
main()
File "/usr/local/
line 124, in main
password, username):
File "/usr/local/
line 220, in WebAuthenticate
ok = self.CheckCooki
File "/usr/local/
line 300, in CheckCookie
ok = self.__checkone(c, authcontext, user)
File "/usr/local/
line 310, in __checkone
key, secret = self.AuthContex
File "/usr/local/
line 105, in AuthContextInfo
secret = self.getMemberP
File
"/usr/local/
line 102, in getMemberPassword
raise Errors.
NotAMemberError: <email address hidden>
Python information:
Variable Value
sys.version 2.2.2 (#1, Jan 30 2003, 21:26:22) [GCC 2.96
20000731 (Red Hat Linux 7.3 2.96-112)]
sys.executable /usr/bin/python2.2
sys.prefix /usr
sys.exec_prefix /usr
sys.path /usr
sys.platform linux2
Environment variables:
Variable Value
PATH_INFO /dfnh-foo/
HTTP_ACCEPT
text/xml,
=0.8,image/
CONTENT_TYPE application/
HTTP_REFERER
http://
SERVER_SOFTWARE Apache/1.3.27 (Unix) (Red-Hat/Linux)
mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12
OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
mod_throttle/3.1.2
PYTHONPATH /usr/local/mailman
SCRIPT_FILENAME /usr/local/
SERVER_ADMIN <email address hidden>
SCRIPT_NAME /mailman/private
SERVER_SIGNATURE
Apache/1.3.27 Server at democracyfornew
Port 80
REQUEST_METHOD POST
HTTP_HOST mail.democracyf
HTTP_KEEP_ALIVE 300
SERVER_PROTOCOL HTTP/1.1
QUERY_STRING
REQUEST_URI /mailman/
CONTENT_LENGTH 63
HTTP_ACCEPT_CHARSET ISO-8859-
HTTP_USER_AGENT Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0
HTTP_CONNECTION keep-alive
HTTP_COOKIE
dfnh-board+
334613039396365
3536;
dfnh-members+
376030323966663
SERVER_NAME democracyfornew
REMOTE_ADDR 24.35.177.35
REMOTE_PORT 38224
HTTP_ACCEPT_
PATH_TRANSLATED
/home/roger/
SERVER_PORT 80
GATEWAY_INTERFACE CGI/1.1
HTTP_ACCEPT_
SERVER_ADDR 199.125.75.14
DOCUMENT_ROOT
/home/roger/
[http://
The security patch should have nothing to do with the trace
back. Will you please try again after deleting cookies of
this site?
(not disable but delete existing cookies)