Ben Cooksley wrote:
If Mailman were to implement basic CSRF protection for all POST requests that would also slow the attackers down I suspect (as they would have to make a GET request first and parse it).
I have implemented a simple version of what I think you requested in your post at http://mail.python.org/pipermail/mailman-users/2012-October/074287.html.
It is implemented by the attached patch against Mailman 2.1.15. The patch will apply to versions 2.1.12 and later with at most line number changes, For older versions, the hashing function Mailman.Utils.sha_new doesn't exist and will need to be changed in the patch to something else. Note that the patch only enables configuring the token for the listinfo subscribe form. To actually enable placement and checking of the token, one must assign a non-empty string value to SUBSCRIBE_FORM_SECRET in mm_cfg.py. I.e.,
SUBSCRIBE_FORM_SECRET = 'Some site specific string'
The actual token is a hex digest of a sha hash of this string plus the list's internal name plus the IP address of the caller.
A more secure token would include something more random such as the time of day, but would be a bit more cumbersome to implement - volunteers are welcome.
Let us know if this helps.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan