Testing STEALTH_MODE = 1
Hi All, A bit of an odd question this one. I'm new to Mailman, and one of my customers has just had an external audit. As part of the audit an advisory was given that too much information was given when an Apache query was executed. This turns out to be from the /mailman/create script.
I've found that setting STEALTH_MODE = 1 in mailman/scripts/driver should fix the problem, but I need to test it. Is there a way to force an error through the web interface?
I've tried changing file permissions on the python binary, changing file permissions on the .py and .pyc scripts, trying to import non-existant modules etc, but I can't manage to get it to dump a stack trace.
Any help greatfully received.
Tom
Tom Skelley wrote:
What Mailman version are you running? STEALTH_MODE has been set to 1 by default in scripts/driver since Mailman 2.1.6. If you are still running 2.1.5 or earlier and are concerned about security issues, see <http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS>.
Edit the file Mailman/Cgi/rmlist.py
Insert the line
raise Exception
immediately preceding the line
def main():
and go to a URL like <http://example.com/mailman/rmlist>.
After you're finished testing, remove the added line.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thanks, that was exactly what I needed! The version of Mailman is a bit later than 2.1.6, but it's still pretty old. Have to be a bit cagey as it's not my install. I suspect that whoever turned off stealth mode to test and then never turned it back on again.
Out of interested, is there an ETA on a production release of Mailman 3.x ?
Thanks again!
Tom
On Jan 11, 2013, at 01:14 PM, Tom Skelley wrote:
Out of interested, is there an ETA on a production release of Mailman 3.x ?
At this point, we're mostly trying to get the web ui (Postorius) feature compatible with Mailman 2.1. We're also working on the new archiver (Hyperkitty). I think the core engine is pretty stable and would invite interested users to give it a go, but understand that it has to be managed from the command line for now.
We will be sprinting on these components again at Pycon 2013.
Cheers, -Barry
Tom Skelley wrote:
What Mailman version are you running? STEALTH_MODE has been set to 1 by default in scripts/driver since Mailman 2.1.6. If you are still running 2.1.5 or earlier and are concerned about security issues, see <http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS>.
Edit the file Mailman/Cgi/rmlist.py
Insert the line
raise Exception
immediately preceding the line
def main():
and go to a URL like <http://example.com/mailman/rmlist>.
After you're finished testing, remove the added line.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thanks, that was exactly what I needed! The version of Mailman is a bit later than 2.1.6, but it's still pretty old. Have to be a bit cagey as it's not my install. I suspect that whoever turned off stealth mode to test and then never turned it back on again.
Out of interested, is there an ETA on a production release of Mailman 3.x ?
Thanks again!
Tom
On Jan 11, 2013, at 01:14 PM, Tom Skelley wrote:
Out of interested, is there an ETA on a production release of Mailman 3.x ?
At this point, we're mostly trying to get the web ui (Postorius) feature compatible with Mailman 2.1. We're also working on the new archiver (Hyperkitty). I think the core engine is pretty stable and would invite interested users to give it a go, but understand that it has to be managed from the command line for now.
We will be sprinting on these components again at Pycon 2013.
Cheers, -Barry
participants (3)
-
Barry Warsaw -
Mark Sapiro -
Tom Skelley