? This very message came to me with the following header:
Errors-To: mailman-developers-admin(a)python.org
All my bounces come to the list admin address, set in
the admin webpage, in the second field of General Options.
Do you have that set to something, and bounces still come to root?
> 2. Bounces are sent to the poor postmaster instead of a -admin address.
> I'm not entirely certain, but I think an Errors-To: header or something
> like that in all Mailman messages might allow one to distribute that load
> somewhat.
[Ricardo Kustner]
> Hi,
>
> On Tue, May 09, 2000 at 09:12:49PM +0200, Harald Meland wrote:
> > > > Please write a patch which puts the string "Cookie could not be set" on the
> > > > web page so that I can see that pressing submit will not work :-)
> > > i think thats a good point... it would safe some user questions if
> > > MM tells exactly why the authorisation failed.
> > While I agree that such a warning would be nice, I don't think it's
> > possible to do such things with cookies.
> it's possible to set a test cookie to see if cookies are
> enabled...
Ahh, I didn't even think of using multiple cookies :)
If I understand you correctly, you're proposing something like this:
Whenever Mailman is about to write a login page (i.e. the user is
not already authenticated), it first issues a
Set-Cookie: Mailman_cookie_test="This cookie is only used to test whether your browser will be able to authenticate with Mailman"; Version=1
HTTP header (If other Mailman cookies set attributes like Path or
Domain, the test cookie should mirror these to make the test reflect
real usage).
Next, once the user has pressed the "Let me in..." button, Mailman
checks whether the Cookie has been sent back. If it hasn't,
authentication fails (as the user won't be able to make any changes
anyway), and Mailman instructs the user to enable Cookies in her
browser before retrying login.
If the test Cookie is present, Mailman should issue a
Set-Cookie: Mailman_cookie_test="clickety click"; Max-Age=0; Version=1
HTTP header (to delete the test cookie, so that the test cookie
isn't later confused with test cookies for login attempts at other
lists).
Finally, Mailman proceeds with password authentication as usual,
possibly resulting in an authentication cookie.
Hmmmm... I guess the test cookie should contain info on what list it
is for, as well.
Have I understood you correctly? Does anyone think that implementing
this (apart from my misunderstandings, of course :) would be a bad
thing?
And, while we're talking about cookies: Does anyone know whether
switching from the cookie attribute "Expires" (which was part of the
original Netscape cookie proposal) to the RFC2109 cookie attribute
"Max-Age" is likely to cause any problems?
I've had a look at Cookie.py, and the value part of the Expires
attribute isn't enclosed in double quotes (in accordance with the
original Netscape cookie proposal), which I believe might confuse
Mailman in some situations where the browser sends back more than one
cookie.
Of course, if there are any (major) browsers in use out there that
doesn't understand Max-Age, it would be a bad idea to change Mailman.
--
Harald
[Ricardo Kustner]
> On Wed, Jun 07, 2000 at 04:21:06PM +0200, Andrea Paparelli wrote:
> > Bug in Mailman version 1.1
> > File "/home/staff/mailman/Mailman/SecurityManager.py", line 117, in
> > CheckCookie
> > if cookiedata[keylen+1] <> '"' and cookiedata[-1] <> '"':
> > IndexError: string index out of range
>
> I stumbled on this a few times too... but it is very hard to reproduce...
> what I think went wrong in my situation most of those times is that somehow
> the cookie got mixed up with a different cookie which was set by a different
> program at the exact same server as mailman...
> anybody had simular experiences?
I haven't seen this happen with my users, but as the offending piece
of code indeed is a hack that won't work reliably if the browser sends
multiple cookies, I think this should be addressed somehow.
The real problem, I think, is that there's confusion on the subject of
cookie content syntax.
The original Netscape proposal uses this (not very well-defined, IMO)
cookie content syntax:
: NAME=VALUE
: This string is a sequence of characters excluding semi-colon,
: comma and white space. If there is a need to place such data in
: the name or value, some encoding method such as URL style %XX
: encoding is recommended, though no encoding is defined or
: required.
A quick example:
[ Server -> Client ]
Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT
[ Client -> Server ]
Cookie: CUSTOMER=WILE_E_COYOTE
Note that there are no quotes around the cookie value.
RFC 2109, however, has a more well-defined, but ever so slightly
different content syntax:
: 4.1 Syntax: General
:
: The two state management headers, Set-Cookie and Cookie, have common
: syntactic properties involving attribute-value pairs. The following
: grammar uses the notation, and tokens DIGIT (decimal digits) and
: token (informally, a sequence of non-special, non-white space
: characters) from the HTTP/1.1 specification [RFC 2068] to describe
: their syntax.
:
: av-pairs = av-pair *(";" av-pair)
: av-pair = attr ["=" value] ; optional value
: attr = token
: value = word
: word = token | quoted-string
Note that the cookies value can be a quoted-string. The example from
the Netscape spec could look like this using the RFC syntax:
[ Server -> Client ]
Set-Cookie: CUSTOMER="WILE_E_COYOTE"; Version="1"; Path="/"; Max-Age="3600"
[ Client -> Server ]
Cookie: $Version="1"; CUSTOMER="WILE_E_COYOTE"; $Path="/"
(Some time back) I looked over misc/Cookie.py trying to find some way
to make it cope reliably with both kinds of cookies, but wasn't really
able to discover what's wrong with _CookiePattern :(
I suspect that using "Max-Age" attributes on Mailman cookies instead
of the current (non-RFC) "Expires" attribute *might* help, but I
really don't have any idea whether such a change will stop Mailman
from working with certain browsers.
--
Harald
Mailman: 1.1
Python: 1.5.2
OS: Solaris 5.7
I don't know if this has been fixed in the CVS version, but I thought I'd
submit it anyways. There seems to be a small authentication bug with the
chunking in the membership management page. The page will load up correctly
the first time it is accessed with the first chunk size shown. However, when
you request a different chunk, it requires a reauthentication and then gives
the chunk=0 page instead of the requested chunk. If you then click on the
alternate chunk it loads fine. However, the additional click and
authentication is annoying.
--
Ted Cabeen http://www.pobox.com/~secabeen secabeen(a)pobox.com
Check Website or finger for PGP Public Key secabeen(a)midway.uchicago.edu
"I have taken all knowledge to be my province." -F. Bacon cococabeen(a)aol.com
"Human kind cannot bear very much reality."-T.S.Eliot 73126.626(a)compuserve.com
Hi,
I'm running the latest cvs (just updated again this morning just to be sure)
but their doesn't seem to be any more posts being send out on the list??
they all arrive on the approval page, but once approved they vanish into
nothing... I'm not sure how long this has been going on though...
anybody else having the same trouble?
Ricardo.
--
Hi,
I'm sorry for my bad english...
I'd like to read the file config.db with a perl-program, where I can read
informations about the file format?
Thank's to all.
Ciao Davide
--
Davide Rizzo agemo(a)agemo.cc
At 06:37 PM 6/29/2000, Jim Hebert wrote:
>[re: embed pw and pw-conf as hardcoded, hidden inputs]
>You could use either a server side solution (php, xssi, whatever) or a
>client side solution (javascript, etc) to give the two hidden password
>fields random values.
>jim
>ashamed at his stupid hacks sometimes =)
I was wondering how the code for random assignment of password is
implemented in the admin's membership mass-subscribe function. What if
there was a reserved word, say RANDU, that the subscription script would
recognize. If you created a subscription box like I did, but in the hidden
field put in RANDU, it would call the random algorithm that is used by mass
subscribe to assign a password for the user.
Those tiny boxes sure are convenient, it would be nice if a little hook
like this could be put in to support it.
--chris
>>>>> "DM" == Dan Mick <Dan.Mick(a)West.Sun.COM> writes:
DM> Here's a fix that's probably safe, and fixes the "newlist"
DM> problem. Of course I'm not sure if it's the right final fix,
DM> but I figure while Barry's examining the problem, this might
DM> be worth a try for some of you.
I just got back from a gig -- thanks for the quick fix Dan. Here's a
slightly better one that also fixes a few other ugly bits.
This is serious enough to warrant a quick beta4, but I want to spend a
couple of hours looking into Ricardo's problem (which I still can't
reproduce). Better that then having to do a beta5 over the weekend ;}
I'm just too beat tonight.
-Barry
Index: MailList.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/MailList.py,v
retrieving revision 1.172
diff -u -r1.172 MailList.py
--- MailList.py 2000/06/28 18:40:48 1.172
+++ MailList.py 2000/06/30 03:04:42
@@ -782,23 +782,21 @@
Utils.MakeDirTree(os.path.join(mm_cfg.LIST_DATA_DIR, name))
self._full_path = os.path.join(mm_cfg.LIST_DATA_DIR, name)
self._internal_name = name
- self.Lock()
- self.InitVars(name, admin, crypted_password)
- self._ready = 1
- self.InitTemplates()
- self.Save()
- self.CreateFiles()
-
- def CreateFiles(self):
+ # Don't use Lock() since that tries to load the non-existant config.db
+ self.__lock.lock()
+ self.InitVars(name, admin, crypted_password)
+ self._ready = 1
+ self.InitTemplates()
+ self.Save()
# Touch these files so they have the right dir perms no matter what.
# A "just-in-case" thing. This shouldn't have to be here.
ou = os.umask(002)
try:
- open(os.path.join(mm_cfg.LOCK_DIR, '%s.lock' %
- self._internal_name), 'a+').close()
- open(os.path.join(self._full_path, "next-digest"), "a+").close()
- open(os.path.join(self._full_path, "next-digest-topics"),
- "a+").close()
+ path = os.path.join(self._full_path, 'next-digest')
+ fp = open(path, "a+")
+ fp.close()
+ fp = open(path+'-topics', "a+")
+ fp.close()
finally:
os.umask(ou)
Just a nudge, Barry, to remind you to update freshmeat to show the
new beta release...
--
Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com)
Apple Mail List Gnome (mailto:chuq@apple.com)
And they sit at the bar and put bread in my jar
and say 'Man, what are you doing here?'"
At 08:07 PM 6/28/2000, Dan wrote:
>The answer was "what's the question"?
>
>What does it mean to "type an email address and hit a submit button"?
>Yeah, one could add that right away:
>
><FORM METHOD=POST ACTION=....uh....what?>
[note to developers: is there a more elegant way to implement this?]
The list is not being very helpful today. I think that what this person
wants is something like the quickie subscription boxes that you see for
eGroups of ListBot. I have been working on something like this for a few
lists that I run. As long as security is not that important, it is
possible to work the subscription box into a web page.
NOTE: this is a really quick kluge.
NoTE: this is really not secure, I only use it on lists where it does not
matter that much.
To use:
Drop into a page. Edit the ACTION line to point to the proper
server/listname on your MM server. Also edit the two password fields so
that they are the same. What this will do is provide an initial password
for the user, making joining easy. What this will also do is provide the
same initial password for all users, so IT IS NOT REALLY SECURE. At least
change it to something sufficiently random looking to encourage people to
change it themselves.
Here is the HTML:
<!-- Begin insecure MM list signup box kluge. -->
<FORM METHOD="POST"
ACTION="http://www.aocn.aurora.edu/mailman/subscribe/ilcomnets">
<!-- You will need to customize the above line for your site and list.
--><P> </P>
<TABLE COLS="1" BORDER="0" CELLSPACING="4" CELLPADDING="5">
<TR>
<TD COLSPAN="2" WIDTH="100%" BGCOLOR="#99CCFF" ALIGN="CENTER"> <B><FONT
COLOR="#000000" SIZE="+1">ilcomnets -- Illinois Community Networking
List</FONT></B> </TD>
</TR>
<TR>
<TD COLSPAN="2" WIDTH="100%" BGCOLOR="#FFF0D0"> <B><FONT
COLOR="#000000">Subscribing to ilcomnets</FONT></B> </TD>
</TR>
<TR>
<TD COLSPAN="2"> <P> Subscribe to ilcomnets by filling out the following form.
You will be sent email requesting confirmation, to prevent others from
gratuitously subscribing you. This is a private list, which means that the
members list is not available to non-members. </P>
<TABLE WIDTH="65%">
<TR>
<TD>Your email address:</TD>
<TD><INPUT TYPE="Text" NAME="email" SIZE="30"></TD>
</TR>
<TR>
<TD COLSPAN="2"><INPUT TYPE="HIDDEN" NAME="pw" SIZE="15"
VALUE="ENTERSOMETHING"><INPUT TYPE="HIDDEN" NAME="pw-conf" SIZE="15"
VALUE="ENTERSOMETHING"> </TD>
</TR>
<!-- The terms ENTERSOMETHIN should be replaced on your site with something
random. Note that this is the default password and it will be the same for
everyone, so do not use this on a list where you need to have real
security. --><TR>
<TD>Would you like to receive list mail batched in a daily digest? </TD>
<TD><INPUT TYPE="radio" NAME="digest" VALUE="0" CHECKED="CHECKED"> No
<INPUT TYPE="radio" NAME="digest" VALUE="1"> Yes </TD>
</TR>
<TR>
<TD COLSPAN="2"> <CENTER>
<INPUT TYPE="Submit" NAME="email-button" VALUE="Subscribe">
</CENTER>
</TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
</FORM>
<!-- End insecure MM list signup box kluge. -->
And if anyone posts this without modification and I start to see lots of
subscribers to ilcomnets then I will come after you with a vengeance.
--chris
> --- Todd LaClair <todd.laclair(a)mail.dreamtheater.com>
> > > wrote:
>
> > >If I wanted to have a box on my webpage where a user would type their
> email
> > >address and hit a submit button. Would MailMan be the best product to
> manage
> > >this user list?
--
/////\\\\\/////\\\\\
Christopher G. Kolar
Director, Department of Instructional Technology
Aurora University, Aurora, Illinois
ckolar(a)admin.aurora.edu -- www.aurora.edu/~ckolar
[PGP Public Key ID: 0xC6492C72]
