-----Forwarded message from Gergely Madarasz <gorgo@caesar.elte.hu>-----

Found the problem. ValidEmail is called only from AddMember, not from ApprovedAddMember. So the listowner can subscribe invalid addresses.

mmm... something must not have made it's way into the patches for 1.0b4. my working copy has ValidEmail called in ApprovedAddMember but 1.0b4 does not. don't know if that was my fault or not, but i think adding a ValidEmail call to ApprovedAddMember is the right way to go: it should be harmless when ApprovedAddMember is called from the mail_cmd interface since it's already been called in AddMember, and it does fix the security problem.

scott