Mailman 3 June 2000 - Mailman-Developers

Re: [Mailman-Developers] Mailman password and administrative reminders
by Dan Mick Aug. 14, 2003

Aug. 14, 2003

? This very message came to me with the following header: Errors-To: mailman-developers-admin(a)python.org All my bounces come to the list admin address, set in the admin webpage, in the second field of General Options. Do you have that set to something, and bounces still come to root? > 2. Bounces are sent to the poor postmaster instead of a -admin address. > I'm not entirely certain, but I think an Errors-To: header or something > like that in all Mailman messages might allow one to distribute that load > somewhat.

8 11

Re: [Mailman-Developers] cookies
by Harald Meland July 20, 2000

July 20, 2000

[Ricardo Kustner] > Hi, > > On Tue, May 09, 2000 at 09:12:49PM +0200, Harald Meland wrote: > > > > Please write a patch which puts the string "Cookie could not be set" on the > > > > web page so that I can see that pressing submit will not work :-) > > > i think thats a good point... it would safe some user questions if > > > MM tells exactly why the authorisation failed. > > While I agree that such a warning would be nice, I don't think it's > > possible to do such things with cookies. > it's possible to set a test cookie to see if cookies are > enabled... Ahh, I didn't even think of using multiple cookies :) If I understand you correctly, you're proposing something like this: Whenever Mailman is about to write a login page (i.e. the user is not already authenticated), it first issues a Set-Cookie: Mailman_cookie_test="This cookie is only used to test whether your browser will be able to authenticate with Mailman"; Version=1 HTTP header (If other Mailman cookies set attributes like Path or Domain, the test cookie should mirror these to make the test reflect real usage). Next, once the user has pressed the "Let me in..." button, Mailman checks whether the Cookie has been sent back. If it hasn't, authentication fails (as the user won't be able to make any changes anyway), and Mailman instructs the user to enable Cookies in her browser before retrying login. If the test Cookie is present, Mailman should issue a Set-Cookie: Mailman_cookie_test="clickety click"; Max-Age=0; Version=1 HTTP header (to delete the test cookie, so that the test cookie isn't later confused with test cookies for login attempts at other lists). Finally, Mailman proceeds with password authentication as usual, possibly resulting in an authentication cookie. Hmmmm... I guess the test cookie should contain info on what list it is for, as well. Have I understood you correctly? Does anyone think that implementing this (apart from my misunderstandings, of course :) would be a bad thing? And, while we're talking about cookies: Does anyone know whether switching from the cookie attribute "Expires" (which was part of the original Netscape cookie proposal) to the RFC2109 cookie attribute "Max-Age" is likely to cause any problems? I've had a look at Cookie.py, and the value part of the Expires attribute isn't enclosed in double quotes (in accordance with the original Netscape cookie proposal), which I believe might confuse Mailman in some situations where the browser sends back more than one cookie. Of course, if there are any (major) browsers in use out there that doesn't understand Max-Age, it would be a bad idea to change Mailman. -- Harald

5 5

Re: [Mailman-Developers] Bug Found in Mailman
by Harald Meland July 19, 2000

July 19, 2000

[Ricardo Kustner] > On Wed, Jun 07, 2000 at 04:21:06PM +0200, Andrea Paparelli wrote: > > Bug in Mailman version 1.1 > > File "/home/staff/mailman/Mailman/SecurityManager.py", line 117, in > > CheckCookie > > if cookiedata[keylen+1] <> '"' and cookiedata[-1] <> '"': > > IndexError: string index out of range > > I stumbled on this a few times too... but it is very hard to reproduce... > what I think went wrong in my situation most of those times is that somehow > the cookie got mixed up with a different cookie which was set by a different > program at the exact same server as mailman... > anybody had simular experiences? I haven't seen this happen with my users, but as the offending piece of code indeed is a hack that won't work reliably if the browser sends multiple cookies, I think this should be addressed somehow. The real problem, I think, is that there's confusion on the subject of cookie content syntax. The original Netscape proposal uses this (not very well-defined, IMO) cookie content syntax: : NAME=VALUE : This string is a sequence of characters excluding semi-colon, : comma and white space. If there is a need to place such data in : the name or value, some encoding method such as URL style %XX : encoding is recommended, though no encoding is defined or : required. A quick example: [ Server -> Client ] Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT [ Client -> Server ] Cookie: CUSTOMER=WILE_E_COYOTE Note that there are no quotes around the cookie value. RFC 2109, however, has a more well-defined, but ever so slightly different content syntax: : 4.1 Syntax: General : : The two state management headers, Set-Cookie and Cookie, have common : syntactic properties involving attribute-value pairs. The following : grammar uses the notation, and tokens DIGIT (decimal digits) and : token (informally, a sequence of non-special, non-white space : characters) from the HTTP/1.1 specification [RFC 2068] to describe : their syntax. : : av-pairs = av-pair *(";" av-pair) : av-pair = attr ["=" value] ; optional value : attr = token : value = word : word = token | quoted-string Note that the cookies value can be a quoted-string. The example from the Netscape spec could look like this using the RFC syntax: [ Server -> Client ] Set-Cookie: CUSTOMER="WILE_E_COYOTE"; Version="1"; Path="/"; Max-Age="3600" [ Client -> Server ] Cookie: $Version="1"; CUSTOMER="WILE_E_COYOTE"; $Path="/" (Some time back) I looked over misc/Cookie.py trying to find some way to make it cope reliably with both kinds of cookies, but wasn't really able to discover what's wrong with _CookiePattern :( I suspect that using "Max-Age" attributes on Mailman cookies instead of the current (non-RFC) "Expires" attribute *might* help, but I really don't have any idea whether such a change will stop Mailman from working with certain browsers. -- Harald

2 1

Membership management chunking requires two authentications..
by Ted Cabeen July 19, 2000

July 19, 2000

Mailman: 1.1 Python: 1.5.2 OS: Solaris 5.7 I don't know if this has been fixed in the CVS version, but I thought I'd submit it anyways. There seems to be a small authentication bug with the chunking in the membership management page. The page will load up correctly the first time it is accessed with the first chunk size shown. However, when you request a different chunk, it requires a reauthentication and then gives the chunk=0 page instead of the requested chunk. If you then click on the alternate chunk it loads fine. However, the additional click and authentication is annoying. -- Ted Cabeen http://www.pobox.com/~secabeen secabeen(a)pobox.com Check Website or finger for PGP Public Key secabeen(a)midway.uchicago.edu "I have taken all knowledge to be my province." -F. Bacon cococabeen(a)aol.com "Human kind cannot bear very much reality."-T.S.Eliot 73126.626(a)compuserve.com

3 4

b3 not working anymore?
by Ricardo Kustner July 10, 2000

July 10, 2000

Hi, I'm running the latest cvs (just updated again this morning just to be sure) but their doesn't seem to be any more posts being send out on the list?? they all arrive on the approval page, but once approved they vanish into nothing... I'm not sure how long this has been going on though... anybody else having the same trouble? Ricardo. --

6 6

Config.db
by agemo＠agemo.cc June 30, 2000

June 30, 2000

Hi, I'm sorry for my bad english... I'd like to read the file config.db with a perl-program, where I can read informations about the file format? Thank's to all. Ciao Davide -- Davide Rizzo agemo(a)agemo.cc

4 6

Re: Question: signup box kluge
by Christopher Kolar June 30, 2000

June 30, 2000

At 06:37 PM 6/29/2000, Jim Hebert wrote: >[re: embed pw and pw-conf as hardcoded, hidden inputs] >You could use either a server side solution (php, xssi, whatever) or a >client side solution (javascript, etc) to give the two hidden password >fields random values. >jim >ashamed at his stupid hacks sometimes =) I was wondering how the code for random assignment of password is implemented in the admin's membership mass-subscribe function. What if there was a reserved word, say RANDU, that the subscription script would recognize. If you created a subscription box like I did, but in the hidden field put in RANDU, it would call the random algorithm that is used by mass subscribe to assign a password for the user. Those tiny boxes sure are convenient, it would be nice if a little hook like this could be put in to support it. --chris

1 0

Re: quick-fix patch for newlist failure
by bwarsaw＠beopen.com June 29, 2000

June 29, 2000

>>>>> "DM" == Dan Mick <Dan.Mick(a)West.Sun.COM> writes: DM> Here's a fix that's probably safe, and fixes the "newlist" DM> problem. Of course I'm not sure if it's the right final fix, DM> but I figure while Barry's examining the problem, this might DM> be worth a try for some of you. I just got back from a gig -- thanks for the quick fix Dan. Here's a slightly better one that also fixes a few other ugly bits. This is serious enough to warrant a quick beta4, but I want to spend a couple of hours looking into Ricardo's problem (which I still can't reproduce). Better that then having to do a beta5 over the weekend ;} I'm just too beat tonight. -Barry Index: MailList.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/MailList.py,v retrieving revision 1.172 diff -u -r1.172 MailList.py --- MailList.py 2000/06/28 18:40:48 1.172 +++ MailList.py 2000/06/30 03:04:42 @@ -782,23 +782,21 @@ Utils.MakeDirTree(os.path.join(mm_cfg.LIST_DATA_DIR, name)) self._full_path = os.path.join(mm_cfg.LIST_DATA_DIR, name) self._internal_name = name - self.Lock() - self.InitVars(name, admin, crypted_password) - self._ready = 1 - self.InitTemplates() - self.Save() - self.CreateFiles() - - def CreateFiles(self): + # Don't use Lock() since that tries to load the non-existant config.db + self.__lock.lock() + self.InitVars(name, admin, crypted_password) + self._ready = 1 + self.InitTemplates() + self.Save() # Touch these files so they have the right dir perms no matter what. # A "just-in-case" thing. This shouldn't have to be here. ou = os.umask(002) try: - open(os.path.join(mm_cfg.LOCK_DIR, '%s.lock' % - self._internal_name), 'a+').close() - open(os.path.join(self._full_path, "next-digest"), "a+").close() - open(os.path.join(self._full_path, "next-digest-topics"), - "a+").close() + path = os.path.join(self._full_path, 'next-digest') + fp = open(path, "a+") + fp.close() + fp = open(path+'-topics', "a+") + fp.close() finally: os.umask(ou)

1 0

freshmeat...
by Chuq Von Rospach June 29, 2000

June 29, 2000

Just a nudge, Barry, to remind you to update freshmeat to show the new beta release... -- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com) And they sit at the bar and put bread in my jar and say 'Man, what are you doing here?'"

1 0

Re: [Mailman-Users] Question: signup box kluge
by Christopher Kolar June 29, 2000

June 29, 2000

At 08:07 PM 6/28/2000, Dan wrote: >The answer was "what's the question"? > >What does it mean to "type an email address and hit a submit button"? >Yeah, one could add that right away: > ><FORM METHOD=POST ACTION=....uh....what?> [note to developers: is there a more elegant way to implement this?] The list is not being very helpful today. I think that what this person wants is something like the quickie subscription boxes that you see for eGroups of ListBot. I have been working on something like this for a few lists that I run. As long as security is not that important, it is possible to work the subscription box into a web page. NOTE: this is a really quick kluge. NoTE: this is really not secure, I only use it on lists where it does not matter that much. To use: Drop into a page. Edit the ACTION line to point to the proper server/listname on your MM server. Also edit the two password fields so that they are the same. What this will do is provide an initial password for the user, making joining easy. What this will also do is provide the same initial password for all users, so IT IS NOT REALLY SECURE. At least change it to something sufficiently random looking to encourage people to change it themselves. Here is the HTML:  <FORM METHOD="POST" ACTION="http://www.aocn.aurora.edu/mailman/subscribe/ilcomnets"> <P> </P> <TABLE COLS="1" BORDER="0" CELLSPACING="4" CELLPADDING="5"> <TR> <TD COLSPAN="2" WIDTH="100%" BGCOLOR="#99CCFF" ALIGN="CENTER"> <B><FONT COLOR="#000000" SIZE="+1">ilcomnets -- Illinois Community Networking List</FONT></B> </TD> </TR> <TR> <TD COLSPAN="2" WIDTH="100%" BGCOLOR="#FFF0D0"> <B><FONT COLOR="#000000">Subscribing to ilcomnets</FONT></B> </TD> </TR> <TR> <TD COLSPAN="2"> <P> Subscribe to ilcomnets by filling out the following form. You will be sent email requesting confirmation, to prevent others from gratuitously subscribing you. This is a private list, which means that the members list is not available to non-members. </P> <TABLE WIDTH="65%"> <TR> <TD>Your email address:</TD> <TD><INPUT TYPE="Text" NAME="email" SIZE="30"></TD> </TR> <TR> <TD COLSPAN="2"><INPUT TYPE="HIDDEN" NAME="pw" SIZE="15" VALUE="ENTERSOMETHING"><INPUT TYPE="HIDDEN" NAME="pw-conf" SIZE="15" VALUE="ENTERSOMETHING"> </TD> </TR> <TR> <TD>Would you like to receive list mail batched in a daily digest? </TD> <TD><INPUT TYPE="radio" NAME="digest" VALUE="0" CHECKED="CHECKED"> No <INPUT TYPE="radio" NAME="digest" VALUE="1"> Yes </TD> </TR> <TR> <TD COLSPAN="2"> <CENTER> <INPUT TYPE="Submit" NAME="email-button" VALUE="Subscribe"> </CENTER> </TD> </TR> </TABLE> </TD> </TR> </TABLE> </FORM>  And if anyone posts this without modification and I start to see lots of subscribers to ilcomnets then I will come after you with a vengeance. --chris > --- Todd LaClair <todd.laclair(a)mail.dreamtheater.com> > > > wrote: > > > >If I wanted to have a box on my webpage where a user would type their > email > > >address and hit a submit button. Would MailMan be the best product to > manage > > >this user list? -- /////\\\\\/////\\\\\ Christopher G. Kolar Director, Department of Instructional Technology Aurora University, Aurora, Illinois ckolar(a)admin.aurora.edu -- www.aurora.edu/~ckolar [PGP Public Key ID: 0xC6492C72]

2 1