2.0 cookies break 2.1 web auth
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GNU Mailman |
Fix Released
|
High
|
Unassigned | ||
Bug Description
(as discussed on mailman-users)
If there are *any* mm2.0 cookies in the URI-space mm2.1 looks in, the
following code will always raise a Cookie.
# Treat the cookie data as simple strings, and do application
level
# decoding as necessary. By using SimpleCookie, we prevent any
kind
# of security breach due to untrusted cookie data being unpickled
# (which is quite unsafe).
try:
c = Cookie.
except Cookie.CookieError:
return 0
If python's Cookie code (or at least SimpleCookie) doesn't like cookies
with :'s in them that'd explain it.
This is rather a problem for anyone thinking they could run both mm2.0 and
mm2.1 mapped into the same URI-space. Simply put, you can't (without
re-auth'ing with every action in 2.1 lists), unless the mm2.1 code is
rewritten to handle that exception better. Or unless you nuke all your
cookies after every use of a 2.0 list (not just logout - in my testing that
doesn't actually remove the cookie, just the cookie's contents).
The good news is that this should be no problem once everything is moved to
2.1.
[http://
| Barry Warsaw (barry) wrote | #1 |
The following patch should fix this.