Hello everyone,
I want to discuss a serious issue regarding mailman architecture in context with bug #1429366 <https://bugs.launchpad.net/mailman/+bug/1429366>. The *hash(#) *is a valid character as far as the local part of the email addresses is concerned as per the email RFCs. So, as the mailing list addresses are email addresses too, we can use # in the list names too. And, in context with mailman it works well. We can create a list with list_id *sam#hashed.host.org <http://hashed.host.org>* for the address *sam#hashed@host.org <hashed@host.org> *. This works fine. But it makes the *list_id *to contain the hash character and therefore the REST endpoint for retrieving list wise info becomes invalid, i.e :
*<api-root>/lists/sam#hashed.host.org <http://hashed.host.org>*
Because in an URL the stuff after # is treated as *document starting point* i.e an id identifier or something of a dom element. This is not a valid PATH for the server. Therefore the *falcon wsgi request object* does not contain information of that and the *req.path* simply returns *sam* as the *list_id* ( http://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailm... ) giving a 404 because there is no any list with list id *sam*. The mailman client works fine, it sends a GET to *<api-root>lists/sam#hashed.host.org <http://hashed.host.org>. *
This causes the REST end points which needs *list_id* to return 404 or in worse we can have a list_id clash between ids* sam#XXXXX* and *sam*. Further more if the list_id starts with a # character then the server finds list_id to be *empty string* and therefore we get a KEY ERROR because *fqdn_listname *is not set too. The bug highly effects postorius too. The lists index template at */postorius/lists/ *cannot be rendered as it uses the former REST endpoint and again a 404 is given. And, until we delete this list from the database, we can't do anything except of getting a 404 and KEY ERROR each time. As far as security is concerned, if an another user created a public list using a hash character, then public list indexing would also fail.
*Possible fixes:*
Put a constraint over the use of this kind of characters, but it's like falling back.
Do not derive list ids directly from the list addresses, use some kind of hashing or encoding technique to generate list_ids. Need to change a lot in architecture; :( .
Use obscure techniques to retain the hash part as discussed here http://stackoverflow.com/questions/317760/how-to-get-url-hash-from-server-si...
I think this is quite a serious issue in mailman architecture; i.e obtaining list_ids directly from list addresses. I have been trying to fix this bug using some obscure techniques. But as it is related to mailman architecture, I thought it should be worthy to discuss on the mailing list first.
Thanks, Ankush Sharma github.com/black-perl