[Bug 739524] [NEW] Administrivia 'who' matches too much
Public bug reported:
Mailman/Utils.py has: 'who': (0, 2), This matches subject and start-of-line with many ordinary-language sentences or headings like 'who are you?' or 'Who is affected:'. I suggest dialing it back to (0, 1) which would have far fewer false positives, or even (0, 0) as it once was.
** Affects: mailman Importance: Undecided Status: New
I think the consequences of allowing mail with the command "who <password>" containing the list admin password to go to the list if inadvertently sent to the list posting address are more serious than the consequences of a false positive administrivia hold.
The "who <password> address=<address>" form is probably less used and less likely to contain the list password, since the address= option is irrelevant if the password is the list admin or moderator password. Since the argument count range was (0, 0) prior to Mailman 2.1.10, I think changing it to (0, 1) is OK, but I think (0, 0) has too much risk.
Also, note that any message that contains more than DEFAULT_MAIL_COMMANDS_MAX_LINES non-blank body lines prior to any '-- ' signature separator is not administrivia, so reducing DEFAULT_MAIL_COMMANDS_MAX_LINES from the default 25 can also reduce the false positives.
** Changed in: mailman Importance: Undecided => Low
** Changed in: mailman Status: New => Triaged
** Changed in: mailman Milestone: None => 2.1.15
** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro)
As a new-ish Mailman admin I couldn't say how common the 1 and 2 args would be -- need you to judge. And I missed DEFAULT_MAIL_COMMANDS_MAX_LINES-- thank you.
Committed change from (0, 2) to (0, 1).
** Changed in: mailman Status: Triaged => Fix Committed
** Changed in: mailman Status: Fix Committed => Fix Released
participants (2)
-
Joseph Brennan -
Mark Sapiro