"FG" == Federico Grau <donfede@casagrau.org> writes:
FG> As distributed, Mailman makes it trivial to discover
FG> if a given address is in fact a subscriber. If you suspect
FG> dev@null.com has joined a list, go to the user page and
FG> enter his address to subscribe; you'll get back a revealing
FG> reply 'You already belong, dummy'..What we can do for MM2.1 is, if the subscriber list is not public, i.e. private_roster is not "Anyone", then if they attempt to subscribe an already subscribed address, we can show them a results page that looks no different whether they actually are subscribed or not.
Then if they are subscribed, we'll send the user a message saying somebody tried to subscribe their address (should we email the admin too?). If they aren't subscribed, then we'll do the normal routine.
(I need to make sure the web message you'd see is identical regardless of whether you're subscribed or not. That's a little tricky, but doable.)
FG> We looked at modifying the html on the user pages but the
FG> python module "handle_opts" seems hard-coded into giving
FG> revealing responses. We also glanced at Mailman 2.0.6 but it
FG> seemed to offer the same behavior.
FG> Has anyone else already looked into this issue, and proposed
FG> code to solve it? We are considering writing a patch for
FG> "handle_opts" and and submitting it but 1) don't want to fork
FG> the code, and 2) don't want to duplicate/waste the effort.In MM2.1, this is done by the options.py cgi script. Here we need to do something similar, but again, it's a little tricky.
If the user is subscribed, and a url containing their email address is given, then they are presented with a page prompting only for their password. If the email address is incorrect, or missing in the url, then they are prompted for both their address and password.
This needs to change such that if private_roster is not "Anyone", then the same sets of prompts will be given regardless of whether the address is a member or not. That leads me to think that if private_roster <> "Anyone" then if any email address is given, we'll only prompt for the password. Obviously, there'll be no matching password, so the error condition in both cases will be to return them to the options prompt page, asking for both email address and password.
This should avoid leaking any membership information. I'll work on getting that into MM2.1. Watch CVS.
-Barry