[Bug 739524] Re: Administrivia 'who' matches too much

Mark Sapiro mark at msapiro.net
Mon Mar 21 20:11:07 CET 2011

I think the consequences of allowing mail with the command "who
<password>" containing the list admin password to go to the list if
inadvertently sent to the list posting address are more serious than the
consequences of a false positive administrivia hold.

The "who <password> address=<address>" form is probably less used and
less likely to contain the list password, since the address= option is
irrelevant if the password is the list admin or moderator password.
Since the argument count range was (0, 0) prior to Mailman 2.1.10, I
think changing it to (0, 1) is OK, but I think (0, 0) has too much risk.

Also, note that any message that contains more than
DEFAULT_MAIL_COMMANDS_MAX_LINES non-blank body lines prior to any '-- '
signature separator is not administrivia, so reducing
DEFAULT_MAIL_COMMANDS_MAX_LINES from the default 25 can also reduce the
false positives.

** Changed in: mailman
   Importance: Undecided => Low

** Changed in: mailman
       Status: New => Triaged

** Changed in: mailman
    Milestone: None => 2.1.15

** Changed in: mailman
     Assignee: (unassigned) => Mark Sapiro (msapiro)

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Administrivia 'who' matches too much

More information about the Mailman-coders mailing list