*** This bug is a security vulnerability ***
Private security bug reported:
We may have to set lifetime for input forms because of recent activities
on cross-site request forgery (CSRF). The form lifetime is successfully
deployed in frameworks like web.py or plone etc. Proposed branch
lp:~tkikuchi/mailman/form-lifetime implement lifetime in admin, admindb,
options and edithtml interfaces. Other forms like create and rmlist
have confirmation by password thus are safe regarding CSRF. The form
generation time is set by a hidden parameter whose value is calculated
following the mailman cookie algorithm. The default lifetime is set 1
hour in Default.py thus configurable by a site administrator. If a
password is set in request, authorization cookie is discarded so the
password authentication is forced. Wget tricks to manage list in FAQ
can be used as they are now.
** Affects: mailman
Importance: Undecided
Status: New
** Branch linked: lp:~tkikuchi/mailman/form-lifetime
--
You received this bug notification because you are a member of Mailman
Coders, which is a direct subscriber.
https://bugs.launchpad.net/bugs/775294
Title:
Set lifetime for input forms
Public bug reported:
When configured to hide email addresses. a mailman user should be able
to contact someone else by using a request contact form a profile page
representing a user. This form would email the recipient of the request
a short message explaining who is trying to get in contact, and the
email address of the user requesting contact.
** Affects: mailman
Importance: Undecided
Status: New
** Tags: wishlist
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1104498
Title:
Member contact requests
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1104498/+subscriptions
Public bug reported:
Some forms in admin interface, like the one on list member management --
https://HOSTNAME/mailman/admin/somelist/members -- , use absolute links
as the form action url.
POST data then gets transmitted in the clear because that absolute link
points to http instead of https address.
I'm running mailman 2.1.14
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1279980
Title:
Some forms in list admin interfaces use absolute links in form action
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
Public bug reported:
separate installation of zope interface 3.8.0 fixes the issue, afterwards mailman 3.0.0.8a
OS: Scientific Linux 6.1, Python 2.6.6
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/889829
Title:
setup takes zope interface 3.5.1, but needs 3.8.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/889829/+subscriptions
Public bug reported:
Mailman should create atom/rss web feeds from lists as well as
individual posts (threads) or searches.
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1104507
Title:
Web feeds
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1104507/+subscriptions
Public bug reported:
Here's what I did as recorded in Terminal.app:
steve@turnbull:~/src/Mailman3/mailman.client$ python
Python 2.7.3rc2 (default, Apr 22 2012, 22:30:17)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> import time
>>> import subprocess
>>> from mailman.client import Client
>>> c = Client('http://localhost:8001/3.0', 'restadmin', 'restpass')
>>> dump(c.system)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
NameError: name 'dump' is not defined
>>> c.lists
[<List "mm3-test(a)turnbull.sk.tsukuba.ac.jp">]
>>> c.domains
[<Domain "turnbull.sk.tsukuba.ac.jp">]
>>> print c.domains[0].url_host
turnbull.sk.tsukuba.ac.jp
>>> print c.domains[0].mail_host
turnbull.sk.tsukuba.ac.jp
>>> l = c.lists[0]
>>> l.fqdn_listname
u'mm3-test(a)turnbull.sk.tsukuba.ac.jp'
>>> c.get_list('mm3-test(a)turnbull.sk.tsukuba.ac.jp')
<List "mm3-test(a)turnbull.sk.tsukuba.ac.jp">
>>> c.get_list(u'mm3-test(a)turnbull.sk.tsukuba.ac.jp')
<List "mm3-test(a)turnbull.sk.tsukuba.ac.jp">
>>> c.members
[<Member "turnbull(a)sk.tsukuba.ac.jp" on "mm3-test(a)turnbull.sk.tsukuba.ac.jp">]
>>> print c.members[0].self_link
http://localhost:8001/3.0/members/230487102891977069915270988864921324936
>>> print c.members[0].link
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: '_Member' object has no attribute 'link'
>>> print c.users[0]
<User "None" (323817100493882819169277267745120573853)>
>>> print c.users
[<User "None" (323817100493882819169277267745120573853)>]
>>> print c.users[0].addresses
<mailman.client._client._Addresses object at 0x7f6b849c7a10>
>>> print c.users[0].addresses[0]
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
TypeError: '_Addresses' object does not support indexing
>>> for a in print c.users[0].addresses:
File "<stdin>", line 1
for a in print c.users[0].addresses:
^
SyntaxError: invalid syntax
>>> for a in c.users[0].addresses:
... print a
...
turnbull(a)sk.tsukuba.ac.jp
>>> for a in sorted(l.settings):
... print a + ': ' + string(l.settings[a])
...
Traceback (most recent call last):
File "<stdin>", line 2, in <module>
NameError: name 'string' is not defined
>>> for a in sorted(l.settings):
... print a + ': ' + str(l.settings[a])
...
acceptable_aliases: []
admin_immed_notify: True
admin_notify_mchanges: False
administrivia: True
advertised: True
allow_list_posts: True
anonymous_list: False
autorespond_owner: none
autorespond_postings: none
autorespond_requests: none
autoresponse_grace_period: 90d
autoresponse_owner_text:
autoresponse_postings_text:
autoresponse_request_text:
bounces_address: mm3-test-bounces(a)turnbull.sk.tsukuba.ac.jp
collapse_alternatives: True
convert_html_to_plaintext: False
created_at: 2012-08-09T03:16:21.186456
default_member_action: defer
default_nonmember_action: hold
description:
digest_last_sent_at: None
digest_size_threshold: 30.0
display_name: Mm3-test
filter_content: False
fqdn_listname: mm3-test(a)turnbull.sk.tsukuba.ac.jp
generic_nonmember_action: 1
http_etag: "b8b4e1df6bc8d8ee33f363927022d0bcc86569bb"
include_rfc2369_headers: True
join_address: mm3-test-join(a)turnbull.sk.tsukuba.ac.jp
last_post_at: None
leave_address: mm3-test-leave(a)turnbull.sk.tsukuba.ac.jp
list_name: mm3-test
mail_host: turnbull.sk.tsukuba.ac.jp
next_digest_number: 1
no_reply_address: noreply(a)turnbull.sk.tsukuba.ac.jp
owner_address: mm3-test-owner(a)turnbull.sk.tsukuba.ac.jp
post_id: 1
posting_address: mm3-test(a)turnbull.sk.tsukuba.ac.jp
posting_pipeline: default-posting-pipeline
reply_goes_to_list: no_munging
request_address: mm3-test-request(a)turnbull.sk.tsukuba.ac.jp
scheme: http
send_welcome_message: True
volume: 1
web_host: turnbull.sk.tsukuba.ac.jp
welcome_message_uri: mailman:///welcome.txt
>>> dir()
['Client', '__builtins__', '__doc__', '__name__', '__package__', 'a', 'c', 'l', 'os', 'subprocess', 'time']
>>> dir(Client)
['__class__', '__delattr__', '__dict__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__module__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'create_domain', 'delete_domain', 'delete_list', 'domains', 'get_domain', 'get_list', 'get_user', 'lists', 'members', 'preferences', 'system', 'users']
>>> dir(Client.system)
['__class__', '__delattr__', '__delete__', '__doc__', '__format__', '__get__', '__getattribute__', '__hash__', '__init__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__set__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'deleter', 'fdel', 'fget', 'fset', 'getter', 'setter']
>>> dir(l)
['__class__', '__delattr__', '__dict__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__module__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_connection', '_get_info', '_info', '_url', 'accept_message', 'defer_message', 'delete', 'discard_message', 'display_name', 'fqdn_listname', 'get_member', 'held', 'list_name', 'mail_host', 'members', 'moderate_message', 'reject_message', 'settings', 'subscribe', 'unsubscribe']
>>> l._connection.__doc__
u'A connection to the REST client.'
>>> l.held.__doc__
^CTraceback (most recent call last):
File "<stdin>", line 1, in <module>
File "mailman/client/_client.py", line 350, in held
'lists/{0}/held'.format(self.fqdn_listname), None, 'GET')
File "mailman/client/_client.py", line 114, in call
response, content = Http().request(url, method, data, headers)
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1543, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1293, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1263, in _conn_request
response = conn.getresponse()
File "/usr/lib/python2.7/httplib.py", line 1030, in getresponse
response.begin()
File "/usr/lib/python2.7/httplib.py", line 407, in begin
version, status, reason = self._read_status()
File "/usr/lib/python2.7/httplib.py", line 365, in _read_status
line = self.fp.readline()
File "/usr/lib/python2.7/socket.py", line 430, in readline
data = recv(1)
File "/home/steve/src/Mailman3/mailman-trunk/src/mailman/email/message.py", l\
ine 226, in _enqueue
virginq.enqueue(self, **str_keywords)
File "/home/steve/src/Mailman3/mailman-trunk/src/mailman/core/switchboard.py"\
, line 123, in enqueue
msgsave = cPickle.dumps(_msg, protocol)
After the above I tried a couple of things, like printing l.held (with
no further attribute). These also hung for a few seconds and I
interrupted with ^C.
Eventually it failed with an error about not being connected to Mailman.
I thought Mailman had crashed, but when I tried shutting down Mailman
using bin/mailman, it seemed to shut down normally.
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1036207
Title:
mailman.client hangs accessing moderation queue
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1036207/+subscriptions
Public bug reported:
Currently it is not possible to subscribe as anonymous user.
** Affects: postorius
Importance: Undecided
Status: New
** Tags: anonymous confirmation subscription ui
--
You received this bug notification because you are a member of Mailman
Coders, which is the registrant for Postorius.
https://bugs.launchpad.net/bugs/1006345
Title:
Anonymous subscription via confirmation email
To manage notifications about this bug go to:
https://bugs.launchpad.net/postorius/+bug/1006345/+subscriptions
Public bug reported:
Mailman users should have a profile page that is common to all the lists
in the instance. The profile should store all the user's personal
information (if any), and lists all of the posts by that user.
** Affects: mailman
Importance: Undecided
Status: New
** Tags: wishlist
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1104497
Title:
User profile pages
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1104497/+subscriptions
Public bug reported:
Hi,
This bug report is little bit inaccurate. I had the following
situation.
I sent a message to Mailman 3 from mutt. I think that this message had
no unixfrom header in "email.message.Message". The log file showed an
exception thrown at "mailman/cure/runner.py".
The exception "AttributeError: class MIMEMultipart has no attribute
'sender'" was caused because "_process_one_file()" of "runner.py"
accesses "mailman.email.message.Message.sender" without any validation.
The loaded, pickled file contained a "MIMEMultipart" object, the other
one a "email.message.Message" as far as I can remember.
I have attached a patch that ensures that "runner.py" is handling the
expected Mailman "Message" instance but I think this was not the root of
the problem.
Hope it helps anyway.
Best regards and keep up the good work on Mailman 3
** Affects: mailman
Importance: Undecided
Status: New
** Tags: mailman3
** Patch added: "Ensure runner.py handles a Mailman "Message" instance"
https://bugs.launchpad.net/bugs/1333902/+attachment/4138396/+files/0003-mai…
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1333902
Title:
Mailman 3.0 goes awry when handling messages in an unexpected format
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1333902/+subscriptions