Set lifetime for input forms

Bug #775294 reported by Tokio Kikuchi
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Undecided
Unassigned

Bug Description

We may have to set lifetime for input forms because of recent activities on cross-site request forgery (CSRF). The form lifetime is successfully deployed in frameworks like web.py or plone etc. Proposed branch lp:~tkikuchi/mailman/form-lifetime implement lifetime in admin, admindb, options and edithtml interfaces. Other forms like create and rmlist have confirmation by password thus are safe regarding CSRF. The form generation time is set by a hidden parameter whose value is calculated following the mailman cookie algorithm. The default lifetime is set 1 hour in Default.py thus configurable by a site administrator. If a password is set in request, authorization cookie is discarded so the password authentication is forced. Wget tricks to manage list in FAQ can be used as they are now.

Related branches

CVE References

Mark Sapiro (msapiro)
Changed in mailman:
status: New → Fix Committed
Revision history for this message
Mark Sapiro (msapiro) wrote :

The lp:~tkikuchi/mailman/form-lifetime branch was only partially merged fo Mailman 2.1.15. It has now been completely merged for Mailman 2.1.23.

Changed in mailman:
milestone: none → 2.1.15
Mark Sapiro (msapiro)
Changed in mailman:
status: Fix Committed → Fix Released
information type: Private Security → Public
Mark Sapiro (msapiro)
Changed in mailman:
milestone: 2.1.15 → 2.1.23
Revision history for this message
Mark Sapiro (msapiro) wrote :

CVE-2016-7123 has recently been issued noting that a CSRF vulnerability exists in the admin interface in Mailman prior to 2.1.15.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.