Problem with plus-sign "+" in the list-name
Hi all,
since upgrading to mailman 2.1.15 the following problem occurs:
When lists admins want to change the list parameters or member-list by the webinterface they receive: "Error: The form lifetime has expired. (request forgery check)" and no change is done.
IMPORTANT: This error only happens when the list-name contains a plus-sign "+", like e+test@lists.myorg.com.
The other list functions are working fine.
Unfortunately we have got a lot of such lists and ist nearly unpossible to change all the list-names.
Can anybody help me?
best regards Gerhard Rappenecker
On 06/13/2013 03:51 AM, Gerhard Rappenecker wrote:
Hi all,
since upgrading to mailman 2.1.15 the following problem occurs:
When lists admins want to change the list parameters or member-list by the webinterface they receive: "Error: The form lifetime has expired. (request forgery check)" and no change is done.
IMPORTANT: This error only happens when the list-name contains a plus-sign "+", like e+test@lists.myorg.com.
This is a bug in the new CSRF checking scheme introduced in 2.1.15. It will take me a day or so to do a proper fix. In the mean time, you can edit the Mailman/CSRFcheck.py module by adding immediately following the lines
def csrf_check(mlist, token): """ check token by mailman cookie validation algorithm """
the line
return True
which will effectively disable the check and return pre-2.1.15 behavior.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hi Mark,
the workaround works fine.
Thanks a lot for the great support.
Gerhard Rappenecker
On 06/13/2013 03:51 AM, Gerhard Rappenecker wrote: Hi all,
since upgrading to mailman 2.1.15 the following problem occurs:
When lists admins want to change the list parameters or member-list by the webinterface they receive: "Error: The form lifetime has expired. (request forgery check)" and no change is done.
IMPORTANT: This error only happens when the list-name contains a plus-sign "+", like e+test@lists.myorg.com.
This is a bug in the new CSRF checking scheme introduced in 2.1.15. It will take me a day or so to do a proper fix. In the mean time, you can edit the Mailman/CSRFcheck.py module by adding immediately following the lines
def csrf_check(mlist, token): """ check token by mailman cookie validation algorithm """
the line
return True
which will effectively disable the check and return pre-2.1.15 behavior.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/g.rappenecker%40hs-offe... burg.de
On 06/13/2013 07:56 AM, Gerhard Rappenecker wrote:
the workaround works fine.
This is now reported at <https://bugs.launchpad.net/mailman/+bug/1190802> and properly fixed at <http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1392>.
Thanks a lot for the great support.
We try. It's always good to hear our efforts are appreciated.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Gerhard Rappenecker
-
Mark Sapiro