Handling non-members in Cgi/options.py
![](https://secure.gravatar.com/avatar/47a3cf9f4ee967a46b8d370bd1bf330e.jpg?s=120&d=mm&r=g)
It seems to me that the logic in this change is not correct:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1881
For lists with private_roster > 0, when the user has entered a email address which is not subscribed to that list, the return is taken without having printed a response. In my environment, Apache httpd then sends a 500 Internal Server Error to the browser. While not saying so in so many words, this behaviour does subtly disclose that the email address is not subscribed. The only privacy-preserving way to proceed would be for Mailman to pretend that the user is subscribed, which is what happened prior to this revision.
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 2/21/22 13:08, David Siebörger wrote:
I have reported this at https://bugs.launchpad.net/mailman/+bug/1961762
Unfortunately I can't just revert this change. Other necessary changes result in https://bugs.launchpad.net/mailman/+bug/1951769 without this change. The best I can do is this:
if not mlist.isMember(user):
if mlist.private_roster == 0:
doc.addError(_('No such member: %(safeuser)s.'))
loginpage(mlist, doc, None, language)
print doc.Format()
return
Which will return the login page. This will avoid the 500 Internal Server Error, and in the case where one is coming from the listinfo page, will just display the login page. There is still a subtle difference in that if the address given is a member, the login page asks only for a password, but if it's not a member login page asks for both and address and a password, but I think that's the best that can be done.
I have committed this change at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1887
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Mark Sapiro writes:
I think in both cases you can return the login page with the address filled in. Not sure if this would be easy to do in the code, but I think this would satisfy both the "minimum effort for user" criterion and the "don't reveal subscription status" criterion, unless I misunderstand the scenario.
Steve
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 2/22/22 10:00, Mark Sapiro wrote:
Fixed at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1888
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 2/21/22 13:08, David Siebörger wrote:
I have reported this at https://bugs.launchpad.net/mailman/+bug/1961762
Unfortunately I can't just revert this change. Other necessary changes result in https://bugs.launchpad.net/mailman/+bug/1951769 without this change. The best I can do is this:
if not mlist.isMember(user):
if mlist.private_roster == 0:
doc.addError(_('No such member: %(safeuser)s.'))
loginpage(mlist, doc, None, language)
print doc.Format()
return
Which will return the login page. This will avoid the 500 Internal Server Error, and in the case where one is coming from the listinfo page, will just display the login page. There is still a subtle difference in that if the address given is a member, the login page asks only for a password, but if it's not a member login page asks for both and address and a password, but I think that's the best that can be done.
I have committed this change at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1887
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Mark Sapiro writes:
I think in both cases you can return the login page with the address filled in. Not sure if this would be easy to do in the code, but I think this would satisfy both the "minimum effort for user" criterion and the "don't reveal subscription status" criterion, unless I misunderstand the scenario.
Steve
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 2/22/22 10:00, Mark Sapiro wrote:
Fixed at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1888
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
David Siebörger
-
Mark Sapiro
-
Stephen J. Turnbull