Merge lp://staging/~tkikuchi/mailman/form-lifetime into lp://staging/mailman/2.1
Proposed by
Tokio Kikuchi
| Status: | Merged |
|---|---|
| Merge reported by: | Mark Sapiro |
| Merged at revision: | not available |
| Proposed branch: | lp://staging/~tkikuchi/mailman/form-lifetime |
| Merge into: | lp://staging/mailman/2.1 |
| Diff against target: |
429 lines (+190/-12) 8 files modified
Mailman/CSRFcheck.py (+73/-0) Mailman/Cgi/admin.py (+24/-5) Mailman/Cgi/admindb.py (+22/-2) Mailman/Cgi/edithtml.py (+22/-2) Mailman/Cgi/options.py (+27/-1) Mailman/Defaults.py.in (+3/-0) Mailman/HTMLFormatter.py (+8/-1) Mailman/htmlformat.py (+11/-1) |
| To merge this branch: | bzr merge lp://staging/~tkikuchi/mailman/form-lifetime |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Mark Sapiro | Pending | ||
|
Review via email:
|
|||
Description of the change
Setting lifetime for input forms is useful in protecting lists and user settings from cross-site request forgery (CSRf).
The form generation time is set by a hidden parameter whose value is calculated following the mailman cookie algorithm. The default lifetime is set 1 hour in Default.py thus configurable by a site administrator. If a password is set in request, authorization cookie is discarded so the password authentication is forced.
This code has been in operation for more than a month on my sites and is considered to be stable.
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
