[Bug 1082746] [NEW] Automated processes can swamp a list with web subscription requests.
Public bug reported: There are discussions of this in threads at <http://mail.python.org/pipermail/mailman- users/2012-October/074213.html>, <http://mail.python.org/pipermail /mailman-users/2012-October/074278.html> and <http://mail.python.org/pipermail/mailman- users/2012-November/074412.html>. The Mailman developers do not think there is any way to prevent this other that disabling web subscribe entirely, as by definition, subscription requests come from unauthenticated users. However, an attempt will be made to mitigate this by making a site option to include a dynamically generated hidden hash in the subscribe form which will at least require an automated process to first GET and parse the listinfo form immediately prior to POSTing it. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
** Branch linked: lp:mailman/2.2 ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
** Changed in: mailman Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
** Changed in: mailman Status: Fix Committed => Fix Released ** Changed in: mailman Milestone: 2.1.16 => 2.1.16rc1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
Would you please allow us to configure this on a per list basis? -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
Can you please explain why you want to configure this per-list. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
Because only one of our lists is being attacked with bots. This would allow us to not break the subscription forms that are hosted on other sites. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
I suspect it will only be a matter of time before other lists are attacked too, especially since they have subscribe forms on other sites. A proper implementation would include modifying the list admin GUI to maintain a list attribute to control this, but I don't intend to do that. You can patch Mailman/Cgi/listinfo.py at about line 188 and Mailman/Cgi/subscribe.py at about line 125 as follows: in each of those places, replace the line if mm_cfg.SUBSCRIBE_FORM_SECRET: with the 5 lines try: _switch = mlist.hash_subscribe except AttributeError: _switch = False if mm_cfg.SUBSCRIBE_FORM_SECRET and _switch: (if it isn't clear, the 1st, 3rd and 5th lines are indented 4 spaces and the 2nd and 4th lines are indented 8 spaces.) Then you can use bin/config_list with input mlist.hash_subscribe = True to set this for a list. Those lists for which mlist.hash_subscribe exists and is True will require the hidden hash in the subscribe form. Other lists will not. You silll need to set SUBSCRIBE_FORM_SECRET in mm_cfg.py. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
** Description changed: There are discussions of this in threads at <http://mail.python.org/pipermail/mailman- users/2012-October/074213.html>, <http://mail.python.org/pipermail /mailman-users/2012-October/074278.html> and <http://mail.python.org/pipermail/mailman- - users/2012-November/074412.html>. + users/2012-November/074412.html> and a more recent thread at + <https://mail.python.org/pipermail/mailman-users/2014-May/076880.html>. The Mailman developers do not think there is any way to prevent this other that disabling web subscribe entirely, as by definition, subscription requests come from unauthenticated users. However, an attempt will be made to mitigate this by making a site option to include a dynamically generated hidden hash in the subscribe form which will at least require an automated process to first GET and parse the listinfo form immediately prior to POSTing it. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1082746 Title: Automated processes can swamp a list with web subscription requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
participants (3)
-
Charles Peters II -
Launchpad Bug Tracker -
Mark Sapiro