GNU Mailman

password reminder can be shunt when encoding usascii

Bug #266170 reported by Ber-users
2
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Medium
Tokio Kikuchi
GNU Mailman 2.1-stable

Bug Description

One user here has a password with characters which
are not in usascii. The default language of the Mailman
installation is English (USA) which gives usascii as
encoding.
This is a stable Debian with Python 2.1.3.

The password reminders to be send to this person are
shunted
because of:

Uncaught runner exception: ASCII encoding error:
ordinal not in range(128)
  File
"/home/services/mailman/Mailman/Queue/Runner.py", line
111, in _oneloop
    self._onefile(msg, msgdata)
  File
"/home/services/mailman/Mailman/Queue/Runner.py", line
167, in _onefile
    keepqueued = self._dispose(mlist, msg, msgdata)
  File
"/home/services/mailman/Mailman/Queue/OutgoingRunner.py",
line 73, in _dispose
    self._func(mlist, msg, msgdata)
  File
"/home/services/mailman/Mailman/Handlers/SMTPDirect.py",
line 152, in process
    deliveryfunc(mlist, msg, msgdata, envsender,
refused, conn)
  File
"/home/services/mailman/Mailman/Handlers/SMTPDirect.py",
line 356, in bulkdeliver
    msgtext = msg.as_string()
  File "/home/services/mailman/Mailman/Message.py",
line 208, in as_string
    g.flatten(self, unixfrom=unixfrom)
  File
"/home/services/mailman/pythonlib/email/Generator.py",
line 102, in flatten
    self._write(msg)
  File
"/home/services/mailman/pythonlib/email/Generator.py",
line 130, in _write
    self._dispatch(msg)
  File
"/home/services/mailman/pythonlib/email/Generator.py",
line 156, in _dispatch
    meth(msg)
  File
"/home/services/mailman/pythonlib/email/Generator.py",
line 202, in _handle_text
    self._fp.write(payload)
UnicodeError: ASCII encoding error: ordinal not in
range(128)

[http://sourceforge.net/tracker/index.php?func=detail&aid=1090439&group_id=103&atid=100103]

Revision history for this message
Tokio Kikuchi (tkikuchi) wrote :

I have no idea how laten-1 8bit characters to be included in
a us-ascii english list password reminder. Maybe we should
restrict password within us-ascii printables. I want to work
on this direction so I am assigning this to myself.

Revision history for this message
Tokio Kikuchi (tkikuchi) wrote :

Sorry but fix will be after 2.1.6 release. In the meantime,
the site owner can reset the password of this person from
bin/withlist script.

Revision history for this message
Ber-users (ber-users) wrote :

If a user changes his password and just types a character
on the keyboard that is non-usascii. :-)

Restricting the password characters to usascii seems to be a bad
idea because it will lower the possibilities for passwords,
making them cryptographically weaker.

Revision history for this message
Tokio Kikuchi (tkikuchi) wrote :

OK, fix was in time for 2.1.6 for password reminder from web
interface only; monthly reminder has already been fixed.
Password retrieval by mail command is still not fixed. 8bit
password by mail command needs more study because the
request mail might be encoded (quoted or base64).

I would prefer restricting password characters within
ascii-printables because there is no cryptography in mailman
user passwords. You only get (steal) the config file to get
the plain text password. You don't have to run 'crack' to
guess the password from crypted passwd entry like in Unix.

In any event, next major version of mailman should be free
of user password.

Revision history for this message
Ber-users (ber-users) wrote :

It might not be the right place to discuss it,
but the restriction of character sets
makes it easier to guess and try the password
and less usable for non-English users because they probably
have a harder time remembering the password.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.