Mailman-coders March 2006

mailman-coders@python.org

1 participants
83 discussions

[ mailman-Bugs-1448537 ] Limit number of subscribe requests in a period
by SourceForge.net 12 Mar '06

12 Mar '06

Bugs item #1448537, was opened at 2006-03-12 15:30 Message generated for change (Comment added) made by eric_black You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: security/privacy Group: None Status: Open Resolution: None Priority: 5 Submitted By: EricB (eric_black) Assigned to: Nobody/Anonymous (nobody) Summary: Limit number of subscribe requests in a period Initial Comment: Add limits (number of requests in a day, and minimum number of days before resetting the counter) to the number of subscribe requests for an email address. Defaults would be 1 request in 1 day. This is needed to prevent malicious mailbombing of an innocent victim by someone repeatedly submitting their address. Currently the victim gets the verify.txt template email for each submission. ---------------------------------------------------------------------- >Comment By: EricB (eric_black) Date: 2006-03-12 19:30 Message: Logged In: YES user_id=1474448 Thanks for the suggestion. That helps if a user complains, but does not help in this scenario: A malicious evil-doer discovers a spamtrap email address used by any of the many RBLs, and repeatedly submits that address in a subscribe request, either by forging email (trivial to do) or by repeatedly submitting the HTML form (also trivial to do). The spamtrap receives multiple confirmation requests. The first confirmation request should be ignored, because typos happen. Subsequent confirmation requests may well be considered to be spam. Especially if there are 5 a day, let alone 100 in the space of an hour. ---------------------------------------------------------------------- Comment By: Tokio Kikuchi (tkikuchi) Date: 2006-03-12 19:19 Message: Logged In: YES user_id=67709 You can suppress sending confirmation by putting the victim's email address in ban_list from the admin page (privacy section), if she/he is not willing to be added in your list. This may not work if the malicious user forges the 'From:' header. In this case, the victim may well introduce some mail filter to get junk mails discarded before they reach her/his eyes. ---------------------------------------------------------------------- Comment By: EricB (eric_black) Date: 2006-03-12 15:47 Message: Logged In: YES user_id=1474448 BTW, I've been running 2.1.5 with this problem, and 2.1.7 still exhibits the vulnerability. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…

1 0

[ mailman-Bugs-1448537 ] Limit number of subscribe requests in a period
by SourceForge.net 12 Mar '06

12 Mar '06

Bugs item #1448537, was opened at 2006-03-12 23:30 Message generated for change (Comment added) made by tkikuchi You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: security/privacy Group: None Status: Open Resolution: None Priority: 5 Submitted By: EricB (eric_black) Assigned to: Nobody/Anonymous (nobody) Summary: Limit number of subscribe requests in a period Initial Comment: Add limits (number of requests in a day, and minimum number of days before resetting the counter) to the number of subscribe requests for an email address. Defaults would be 1 request in 1 day. This is needed to prevent malicious mailbombing of an innocent victim by someone repeatedly submitting their address. Currently the victim gets the verify.txt template email for each submission. ---------------------------------------------------------------------- >Comment By: Tokio Kikuchi (tkikuchi) Date: 2006-03-13 03:19 Message: Logged In: YES user_id=67709 You can suppress sending confirmation by putting the victim's email address in ban_list from the admin page (privacy section), if she/he is not willing to be added in your list. This may not work if the malicious user forges the 'From:' header. In this case, the victim may well introduce some mail filter to get junk mails discarded before they reach her/his eyes. ---------------------------------------------------------------------- Comment By: EricB (eric_black) Date: 2006-03-12 23:47 Message: Logged In: YES user_id=1474448 BTW, I've been running 2.1.5 with this problem, and 2.1.7 still exhibits the vulnerability. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…

1 0

[ mailman-Feature Requests-403066 ] Auto Approval of subscriptions for certain domains
by SourceForge.net 12 Mar '06

12 Mar '06

Feature Requests item #403066, was opened at 2001-01-01 09:27 Message generated for change (Comment added) made by jimpop You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350103&aid=403066&group_i… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Pending Resolution: Accepted Priority: 3 Submitted By: Mark Tearle (mtearle) Assigned to: Mark Sapiro (msapiro) Summary: Auto Approval of subscriptions for certain domains Initial Comment: A patch to enable automatic approval for certain domains, eg people in the example.com are automatically approved all others have to wait for the moderator ---------------------------------------------------------------------- Comment By: Jim Popovitch (jimpop) Date: 2006-03-12 22:12 Message: Logged In: YES user_id=3142 I've successfully applied this against a v2.1.8 system and it works well. Thanks!! ---------------------------------------------------------------------- Comment By: Mark Sapiro (msapiro) Date: 2006-03-11 13:36 Message: Logged In: YES user_id=1123998 The attached patch is against a 2.1.8a1 installed base (installed because it patches Defaults.py and not Defaults.py.in). It is a modification and extension of the original patch. It implements a new list attribute 'subscribe_auto_approval' which is a list of email addresses and regular expressions matching email addresses whose subscriptions are exempt from admin approval. It implements the original intent if one just uses regexps that match domains. This will go in Mailman 2.2, but it would be nice to get some feedback from people who are interested in this feature and are willing to try the patch. ---------------------------------------------------------------------- Comment By: Thomas Wouters (twouters) Date: 2003-03-11 08:31 Message: Logged In: YES user_id=34209 Is this still necessary with Mailman 2.1, which has more 'automatic' options (as well as 'memberadaptors') ? In any case, the patch is likely heavily out of date by now, I'm moving this to Feature Requests for now. Feel free to respond if you (still) have a need. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350103&aid=403066&group_i…

1 0

[ mailman-Bugs-1448537 ] Limit number of subscribe requests in a period
by SourceForge.net 12 Mar '06

12 Mar '06

1 0

[ mailman-Bugs-1448537 ] Limit number of subscribe requests in a period
by SourceForge.net 12 Mar '06

12 Mar '06

Bugs item #1448537, was opened at 2006-03-12 15:30 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: security/privacy Group: None Status: Open Resolution: None Priority: 5 Submitted By: EricB (eric_black) Assigned to: Nobody/Anonymous (nobody) Summary: Limit number of subscribe requests in a period Initial Comment: Add limits (number of requests in a day, and minimum number of days before resetting the counter) to the number of subscribe requests for an email address. Defaults would be 1 request in 1 day. This is needed to prevent malicious mailbombing of an innocent victim by someone repeatedly submitting their address. Currently the victim gets the verify.txt template email for each submission. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…

1 0

[ mailman-Bugs-1080943 ] Private archive specific message URL lost in authorization
by SourceForge.net 12 Mar '06

12 Mar '06

Bugs item #1080943, was opened at 2004-12-07 14:49 Message generated for change (Settings changed) made by msapiro You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1080943&group_… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web/CGI Group: 2.1 (stable) >Status: Closed >Resolution: Fixed Priority: 5 Submitted By: Mark Sapiro (msapiro) Assigned to: Nobody/Anonymous (nobody) Summary: Private archive specific message URL lost in authorization Initial Comment: If a user without an authorization cookie goes to a URL such as http://www.example.com/mailman/private/list-name/yyyy-Month/nnnnnn.html the user will get the private archives authorization page and after filling in e-mail address and password and clicking Let me in... will be taken to the main index for the list at http://www.example.com/mailman/private/list-name/ instead of to the original URL. ---------------------------------------------------------------------- >Comment By: Mark Sapiro (msapiro) Date: 2006-03-12 12:35 Message: Logged In: YES user_id=1123998 Fixed in 2.1.7. ---------------------------------------------------------------------- Comment By: Paul Wise (pabs3) Date: 2005-03-10 03:21 Message: Logged In: YES user_id=35028 There is a fix for this issue in a debian bug report: http://bugs.debian.org/298842 ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1080943&group_…

1 0

[ mailman-Bugs-1275856 ] Utils.get_domain() wrong if VIRTUAL_HOST_OVERVIEW off
by SourceForge.net 12 Mar '06

12 Mar '06

Bugs item #1275856, was opened at 2005-08-29 10:26 Message generated for change (Comment added) made by msapiro You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1275856&group_… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web/CGI Group: 2.1 (stable) >Status: Closed >Resolution: Fixed Priority: 5 Submitted By: Mark Sapiro (msapiro) Assigned to: Nobody/Anonymous (nobody) Summary: Utils.get_domain() wrong if VIRTUAL_HOST_OVERVIEW off Initial Comment: Part of the code in get_domain() in Utils.py is: if mm_cfg.VIRTUAL_HOST_OVERVIEW and host: return host.lower() else: # See the note in Defaults.py concerning DEFAULT_HOST_NAME # vs. DEFAULT_EMAIL_HOST. hostname = mm_cfg.DEFAULT_HOST_NAME or mm_cfg.DEFAULT_EMAIL_HOST return hostname.lower() It is clear that get_domain() should return the web host, not the e-mail host. This code should be: if mm_cfg.VIRTUAL_HOST_OVERVIEW and host: return host.lower() else: # See the note in Defaults.py concerning DEFAULT_URL # vs. DEFAULT_URL_HOST. hostname = mm_cfg.DEFAULT_URL or mm_cfg.DEFAULT_URL_HOST return hostname.lower() ---------------------------------------------------------------------- >Comment By: Mark Sapiro (msapiro) Date: 2006-03-12 10:11 Message: Logged In: YES user_id=1123998 Fixed in CVS for releases above 2.1.8a1. hostname = mm_cfg.DEFAULT_URL or mm_cfg.DEFAULT_URL_HOST is not the correct fix as DEFAULT_URL is a URL, not a domain, so I changed it to hostname = mm_cfg.DEFAULT_HOST_NAME or mm_cfg.DEFAULT_URL_HOST ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1275856&group_…

1 0

[ mailman-Patches-1447948 ] Focus password field on admin login page load
by SourceForge.net 11 Mar '06

11 Mar '06

Patches item #1447948, was opened at 2006-03-11 13:58 Message generated for change (Settings changed) made by fractalvisionz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1447948&group_… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web UI Group: Mailman 2.0.x Status: Open Resolution: None Priority: 5 Submitted By: Jamie (fractalvisionz) Assigned to: Nobody/Anonymous (nobody) >Summary: Focus password field on admin login page load Initial Comment: This patch focuses the password field when the login page is loaded, a very simple and time saving feature. File should be placed in the templates/en directory. DIFF: 5,6c5,12 < <body bgcolor="#ffffff"> < <FORM METHOD=POST ACTION="%(path)s"> --- > <script> > function sf() > { > document.loginform.adminpw.focus(); > } > </script> > <body bgcolor="#ffffff" onLoad=sf()> > <FORM METHOD=POST ACTION="%(path)s" NAME="loginform"> ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1447948&group_…

1 0

[ mailman-Patches-1447948 ] Focus password field on load
by SourceForge.net 11 Mar '06

11 Mar '06

Patches item #1447948, was opened at 2006-03-11 13:58 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1447948&group_… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web UI Group: Mailman 2.0.x Status: Open Resolution: None Priority: 5 Submitted By: Jamie (fractalvisionz) Assigned to: Nobody/Anonymous (nobody) Summary: Focus password field on load Initial Comment: This patch focuses the password field when the login page is loaded, a very simple and time saving feature. File should be placed in the templates/en directory. DIFF: 5,6c5,12 < <body bgcolor="#ffffff"> < <FORM METHOD=POST ACTION="%(path)s"> --- > <script> > function sf() > { > document.loginform.adminpw.focus(); > } > </script> > <body bgcolor="#ffffff" onLoad=sf()> > <FORM METHOD=POST ACTION="%(path)s" NAME="loginform"> ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1447948&group_…

1 0

[ mailman-Feature Requests-403066 ] Auto Approval of subscriptions for certain domains
by SourceForge.net 11 Mar '06

11 Mar '06

Feature Requests item #403066, was opened at 2001-01-01 06:27 Message generated for change (Comment added) made by msapiro You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350103&aid=403066&group_i… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Pending >Resolution: Accepted Priority: 3 Submitted By: Mark Tearle (mtearle) >Assigned to: Mark Sapiro (msapiro) Summary: Auto Approval of subscriptions for certain domains Initial Comment: A patch to enable automatic approval for certain domains, eg people in the example.com are automatically approved all others have to wait for the moderator ---------------------------------------------------------------------- >Comment By: Mark Sapiro (msapiro) Date: 2006-03-11 10:36 Message: Logged In: YES user_id=1123998 The attached patch is against a 2.1.8a1 installed base (installed because it patches Defaults.py and not Defaults.py.in). It is a modification and extension of the original patch. It implements a new list attribute 'subscribe_auto_approval' which is a list of email addresses and regular expressions matching email addresses whose subscriptions are exempt from admin approval. It implements the original intent if one just uses regexps that match domains. This will go in Mailman 2.2, but it would be nice to get some feedback from people who are interested in this feature and are willing to try the patch. ---------------------------------------------------------------------- Comment By: Thomas Wouters (twouters) Date: 2003-03-11 05:31 Message: Logged In: YES user_id=34209 Is this still necessary with Mailman 2.1, which has more 'automatic' options (as well as 'memberadaptors') ? In any case, the patch is likely heavily out of date by now, I'm moving this to Feature Requests for now. Feel free to respond if you (still) have a need. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350103&aid=403066&group_i…

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

Mailman-coders March 2006