Package: mailman Severity: normal Tags: patch Mailman offers a web interface that relies heavily on cookies.
If the web interface is used via https, those cookies should have the secure flag set. Attached is a patch which allows system administrators to indicate manually whether they would like the secure flag to be set or not. Feel free to forward upstream, if that would be useful. --dkg -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
diff -ru mailman-2.1.13.orig/Mailman/Defaults.py.in mailman-2.1.13/Mailman/Defaults.py.in --- mailman-2.1.13.orig/Mailman/Defaults.py.in 2010-12-07 16:54:35.000000000 -0500 +++ mailman-2.1.13/Mailman/Defaults.py.in 2010-12-07 17:22:02.000000000 -0500 @@ -362,6 +362,9 @@ # publically available? PUBLIC_MBOX = No +# set the secure flag on all cookies? Only enable this if your web +# interface is always accessed via https. +SECURE_COOKIES = No ##### diff -ru mailman-2.1.13.orig/Mailman/SecurityManager.py mailman-2.1.13/Mailman/SecurityManager.py --- mailman-2.1.13.orig/Mailman/SecurityManager.py 2009-12-22 13:00:43.000000000 -0500 +++ mailman-2.1.13/Mailman/SecurityManager.py 2010-12-07 17:24:59.000000000 -0500 @@ -250,6 +250,8 @@ # We use session cookies, so don't set `expires' or `max-age' keys. # Set the RFC 2109 required header. c[key]['version'] = 1 + if mm_cfg.SECURE_COOKIES: + c[key]['secure'] = 'yes' return c def ZapCookie(self, authcontext, user=None):