*** This bug is a security vulnerability ***

Private security bug reported:

We may have to set lifetime for input forms because of recent activities
on cross-site request forgery (CSRF). The form lifetime is successfully
deployed in frameworks like web.py or plone etc. Proposed branch
lp:~tkikuchi/mailman/form-lifetime implement lifetime in admin, admindb,
options and edithtml interfaces. Other forms like create and rmlist
have confirmation by password thus are safe regarding CSRF. The form
generation time is set by a hidden parameter whose value is calculated
following the mailman cookie algorithm. The default lifetime is set 1
hour in Default.py thus configurable by a site administrator. If a
password is set in request, authorization cookie is discarded so the
password authentication is forced. Wget tricks to manage list in FAQ
can be used as they are now.

** Affects: mailman
Importance: Undecided
Status: New

** Branch linked: lp:~tkikuchi/mailman/form-lifetime

You received this bug notification because you are a member of Mailman
Coders, which is a direct subscriber.

Set lifetime for input forms

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-coders @
postedMay 2, '11 at 2:40a
activeMay 2, '11 at 2:40a

1 user in discussion

Tokio Kikuchi: 1 post



site design / logo © 2023 Grokbase