#968 password reminder can be shunt when encoding usascii
One user here has a password with characters which
are not in usascii. The default language of the Mailman
installation is English (USA) which gives usascii as
encoding.
This is a stable Debian with Python 2.1.3.
The password reminders to be send to this person are
shunted
because of:
Uncaught runner exception: ASCII encoding error:
ordinal not in range(128)
File
"/home/services/mailman/Mailman/Queue/Runner.py", line
111, in _oneloop
self._onefile(msg, msgdata)
File
"/home/services/mailman/Mailman/Queue/Runner.py", line
167, in _onefile
keepqueued = self._dispose(mlist, msg, msgdata)
File
"/home/services/mailman/Mailman/Queue/OutgoingRunner.py",
line 73, in _dispose
self._func(mlist, msg, msgdata)
File
"/home/services/mailman/Mailman/Handlers/SMTPDirect.py",
line 152, in process
deliveryfunc(mlist, msg, msgdata, envsender,
refused, conn)
File
"/home/services/mailman/Mailman/Handlers/SMTPDirect.py",
line 356, in bulkdeliver
msgtext = msg.as_string()
File "/home/services/mailman/Mailman/Message.py",
line 208, in as_string
g.flatten(self, unixfrom=unixfrom)
File
"/home/services/mailman/pythonlib/email/Generator.py",
line 102, in flatten
self._write(msg)
File
"/home/services/mailman/pythonlib/email/Generator.py",
line 130, in _write
self._dispatch(msg)
File
"/home/services/mailman/pythonlib/email/Generator.py",
line 156, in _dispatch
meth(msg)
File
"/home/services/mailman/pythonlib/email/Generator.py",
line 202, in _handle_text
self._fp.write(payload)
UnicodeError: ASCII encoding error: ordinal not in
range(128)
Logged In: YES
user_id=67709
I have no idea how laten-1 8bit characters to be included in
a us-ascii english list password reminder. Maybe we should
restrict password within us-ascii printables. I want to work
on this direction so I am assigning this to myself.
Logged In: YES
user_id=67709
Sorry but fix will be after 2.1.6 release. In the meantime,
the site owner can reset the password of this person from
bin/withlist script.
Logged In: YES
user_id=113859
If a user changes his password and just types a character
on the keyboard that is non-usascii. :-)
Restricting the password characters to usascii seems to be a bad
idea because it will lower the possibilities for passwords,
making them cryptographically weaker.
Logged In: YES
user_id=67709
OK, fix was in time for 2.1.6 for password reminder from web
interface only; monthly reminder has already been fixed.
Password retrieval by mail command is still not fixed. 8bit
password by mail command needs more study because the
request mail might be encoded (quoted or base64).
I would prefer restricting password characters within
ascii-printables because there is no cryptography in mailman
user passwords. You only get (steal) the config file to get
the plain text password. You don't have to run 'crack' to
guess the password from crypted passwd entry like in Unix.
In any event, next major version of mailman should be free
of user password.
Logged In: YES
user_id=113859
It might not be the right place to discuss it,
but the restriction of character sets
makes it easier to guess and try the password
and less usable for non-English users because they probably
have a harder time remembering the password.