[Bug 1279980] [NEW] Some forms in list admin interfaces use absolute links in form action
Public bug reported: Some forms in admin interface, like the one on list member management -- https://HOSTNAME/mailman/admin/somelist/members -- , use absolute links as the form action url. POST data then gets transmitted in the clear because that absolute link points to http instead of https address. I'm running mailman 2.1.14 ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
If you want to use https, you need to set DEFAULT_URL_PATTERN to an https scheme in mm_cfg.py, e.g. DEFAULT_URL_PATTERN = 'https://%s/mailman/' and then run fix_url to update the web_page_url attribute of your lists. See the FAQ at <http://wiki.list.org/x/7oA9>. ** Changed in: mailman Status: New => Invalid -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
Nice to have such a prompt answer. I'd like to support both http and https, and use some http server magic to redirect admin urls to https. If those form action urls were relative, it would just work and I can't think of any reason for not using relative links whenever possible. Still think it's an invalid request? -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
I see your point, but I wonder why you would want to allow http for, e.g., the data in the listinfo subscribe form. I.e., why not just access all of Mailman's web UI via https and use server redirect to redirect all http URLs? ** Changed in: mailman Importance: Undecided => Low ** Changed in: mailman Status: Invalid => Incomplete ** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
As a matter of fact, that's how my configuration is right now. All http traffic gets redirected to https. I'd like to support a better solution in which ssl would be used only when needed. That would result in better caching at web proxies on ISPs and companies and woudn't prevent intrusion detection and prevention systems from working. This kind of behavior will probably come by default in mailman 3. In the meantime, I guess it should require only small changes on the code to generate relative urls instead of absolute, and if it's as easy as I think it is then it would be a nice improvement in mailman 2. :) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
On 02/13/2014 03:12 PM, Vitor Choi Feitosa wrote:
I'd like to support a better solution in which ssl would be used only when needed. That would result in better caching at web proxies on ISPs and companies and woudn't prevent intrusion detection and prevention systems from working.
But exactly which pages would you not secure? You are concerned about the admin Membership List, so aren't you also concerned about the list roster, the private archives and user options login, the user options page with the capability to change password, the listinfo subscribe form and possibly others. What's left to not secure.
This kind of behavior will probably come by default in mailman 3. In the meantime, I guess it should require only small changes on the code to generate relative urls instead of absolute, and if it's as easy as I think it is then it would be a nice improvement in mailman 2. :)
The code currently has a flag for requesting an absolute URL. Some URLs are requested as absolute and others not. I've only been working with Mailman for about 9 years and I don't know the reasons why some URLs are requested absolute, so I would have to examine each case to determine the unintended consequences of making the URL relative. This is only a trivial change in the code, but a lot of work to examine possible consequences in each case. If you wanted to try it in your installation, you could change all occurrences of 'absolute=1' to 'absolute=0' in Mailmna/Cgi/*.py. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
I'll do that, thanks for the tip! -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
I have following problem: The list's host_name is example.org but the mailman pages (list-info, admin interface, archive) are located at http://www.example.com/mailman/ , example.com is the provider. The .htaccess for example.org contains: # without www -> with www RewriteCond %{HTTP_HOST} !^www\. RewriteRule ^/(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] # mailman RewriteRule /mailman/(.*)$ http://www.example.com/mailman/$1 [R=301,NC,L] But still I'm not able to use the forms where the action URLs are absolute! I can't see why it could be problematic to have relative URLs by default. For example: At the moment the members can't access the private archive. This is annoying. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
I just learned that the POST data is lost with a 301 redirect. You can use a 307 redirect but the user will get a warning about the redirection: https://programmers.stackexchange.com/a/99966 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
It looks to me like your Mailman is not correctly configured. See the FAQ at <http://wiki.list.org/x/4030592>. If your configuration is correct, any absolute form action URLs will not need redirection. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1279980 Title: Some forms in list admin interfaces use absolute links in form action To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1279980/+subscriptions
participants (3)
-
J-K -
Mark Sapiro -
Vitor Choi Feitosa