[Bug 1696202] [NEW] Setting private_roster to list admin only causes subscriptions to break
Public bug reported:
This is an odd one, seen on https://mail.python.org/
The Pycon Pune list was set up such that private_roster was set to list admin only, whereupon all subscribers got a message "The hidden token didn't match. Did your IP change?" after they entered their email address and were sent to the standard page at https://mail.python.org/mailman/confirm/pycon-pune
I reset the private_roster to "List members" and for some reason, this solved the problem and would-be subscribers get the usual "Your subscription request has been received, and will soon be acted upon." message.
Not sure if this is a mail.python.org specific bug or a mailman 2.1 issue in general, but I figure Mark's equipped to handle either one so filing here is the right choice regardless.
** Affects: mailman Importance: Undecided Status: New
I just tried subscribing to mailman-users@python.org from the page at https://mail.python.org/mailman/listinfo/mailman-users. This list has private rosters and the subscription process went completely normally. Upon submitting the form, I was sent to the subscribe results page and all was as expected.
There is in issue with load balancers and perhaps proxies. The IPv4 address that submits the form has to match the address that did the GET of the form. It used to have to match exactly, but because of load balancer issues we've seen it now only has to match the first 3 octets https://bugs.launchpad.net/bugs/1447445.
Maybe there is some IP change issue and changing private_roster was just a coincidence.
I've looked at logs and I see
Jun 05 11:15:42 2017 (21148) pycon-pune: pending Anwesha ... Jun 05 11:25:35 2017 (23837) pycon-pune: pending Kushal ... Jun 05 20:42:26 2017 (18559) pycon-pune: pending Kushal ... Jun 06 07:32:48 2017 (9267) pycon-pune: pending Sayan ... Jun 06 14:13:45 2017 (5012) pycon-pune: pending Terri Test ...
Associated with some of those, I see successful GETs of the listinfo and POSTs of the form. I also see these GETs and posts shortly before the successful Terri Test subscribe.
/var/log/apache2/mail.python.org-ssl_access.log:134.134.139.75 - - [06/Jun/2017:14:06:21 -0400] "GET /mailman/listinfo/pycon-pune HTTP/2.0" 200 2292 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36" /var/log/apache2/mail.python.org-ssl_access.log:192.55.55.41 - - [06/Jun/2017:14:08:31 -0400] "GET /mailman/listinfo/pycon-pune HTTP/2.0" 200 2291 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36" /var/log/apache2/mail.python.org-ssl_access.log:134.134.139.75 - - [06/Jun/2017:14:08:42 -0400] "POST /mailman/subscribe/pycon-pune HTTP/2.0" 200 546 "https://mail.python.org/mailman/listinfo/pycon-pune" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36" /var/log/apache2/mail.python.org-ssl_access.log:134.134.139.75 - - [06/Jun/2017:14:09:15 -0400] "GET /mailman/listinfo/pycon-pune HTTP/2.0" 200 2293 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36" /var/log/apache2/mail.python.org-ssl_access.log:192.55.55.41 - - [06/Jun/2017:14:09:24 -0400] "POST /mailman/subscribe/pycon-pune HTTP/2.0" 200 546 "https://mail.python.org/mailman/listinfo/pycon-pune" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36" /var/log/apache2/mail.python.org-ssl_access.log:192.55.55.41 - - [06/Jun/2017:14:12:02 -0400] "GET /mailman/listinfo/pycon-pune HTTP/2.0" 200 2292 "https://mail.python.org/mailman/admin/pycon-pune/digest" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36" /var/log/apache2/mail.python.org-ssl_access.log:134.134.139.75 - - [06/Jun/2017:14:12:51 -0400] "POST /mailman/subscribe/pycon-pune HTTP/2.0" 200 546 "https://mail.python.org/mailman/listinfo/pycon-pune" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36"
These look like two different IPs doing GET and POST and that should be OK, but may be an issue somehow.
I also installed the not well tested fix for https://bugs.launchpad.net/mailman/+bug/1695667 at about 13:20 on 06 June, so that could be involved, but as I said, it worked for me on Mailman-users with private_roster set to admin only.
I tried to subscribe again with my id, and I am getting stuck to the same confirmation page. So, maybe it is the load balancer as Mark suggested.
It's not load balancing or the "The hidden token didn't match. Did your IP change?" message that Terri mentions. I think that was affecting her testing, but is not the actual problem that was originally reported.
The issue is that when one gets the initial https://mail.python.org/mailman/confirm/pycon-pune/xxx... page, it succeeds as it should, but somehow clicking "subscribe" Posts the form, but Apache sees a GET rather than a POST so The CGI doesn't see the cookie in the post data.
I don't know how many lists are affected or why, but I've successfully confirmed subscription to two other mail.python.org lists, so I don't think it's a Mailman issue. Rather it seems to be apache or the network.
I'm marking this as invalid because the actual issue wasn't the "The hidden token didn't match. Did your IP change?" issue which I think only appeared in Terri's testing.
The underlying issue was the list was created with URL host = python.org rather than mail.python.org causing all form submissions to redirect and lose POST data. The list is now fixed.
** Changed in: mailman Status: New => Invalid
** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro)
participants (3)
-
Kushal Das -
Mark Sapiro -
Terri