[Bug 871415] Re: "Approved:" password not stripped when list in BCC

Johnathan Ritzi 871415 at bugs.launchpad.net
Tue Oct 11 16:59:44 CEST 2011

After further review and testing, it has nothing to do with the To or
Bcc fields. Instead, the issue has to do with sending the message using
Gmail's web interface. Gmail by default sends messages in HTML format.
In several cases, the "Approved:" line with password were being sent out
to the mailing list. Looking at the raw message body shows that the
"Approved:"  line was successfully stripped out of the plain text
version of the email at the top, but not the HTML part at the bottom
(which is what the end-user's client displays). Maybe this is "correct"
because Mailman can't be expected to reliably parse the approval line
out of HTML. But it's definitely dangerous behavior, because the email
goes through (rather than bouncing) but without the password being
stripped, broadcasting the owner password to the entire list.

Maybe if the message is sent in HTML format Mailman should try (and
succeed/fail) only on the HTML portion of the message, not the plain-
text version?

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to the bug report.

  "Approved:" password not stripped when list in BCC

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list