Package: mailman
Severity: normal
Tags: patch
Mailman offers a web interface that relies heavily on cookies.
If the web interface is used via https, those cookies should have the
secure flag set.
Attached is a patch which allows system administrators to indicate
manually whether they would like the secure flag to be set or not.
Feel free to forward upstream, if that would be useful.
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -ru mailman-2.1.13.orig/Mailman/Defaults.py.in mailman-2.1.13/Mailman/Defaults.py.in
--- mailman-2.1.13.orig/Mailman/Defaults.py.in 2010-12-07 16:54:35.000000000 -0500
+++ mailman-2.1.13/Mailman/Defaults.py.in 2010-12-07 17:22:02.000000000 -0500
@@ -362,6 +362,9 @@
# publically available?
PUBLIC_MBOX = No
+# set the secure flag on all cookies? Only enable this if your web
+# interface is always accessed via https.
+SECURE_COOKIES = No
�
#####
diff -ru mailman-2.1.13.orig/Mailman/SecurityManager.py mailman-2.1.13/Mailman/SecurityManager.py
--- mailman-2.1.13.orig/Mailman/SecurityManager.py 2009-12-22 13:00:43.000000000 -0500
+++ mailman-2.1.13/Mailman/SecurityManager.py 2010-12-07 17:24:59.000000000 -0500
@@ -250,6 +250,8 @@
# We use session cookies, so don't set `expires' or `max-age' keys.
# Set the RFC 2109 required header.
c[key]['version'] = 1
+ if mm_cfg.SECURE_COOKIES:
+ c[key]['secure'] = 'yes'
return c
def ZapCookie(self, authcontext, user=None):
