[Bug 1082746] Re: Automated processes can swamp a list with web subscription requests.

Mark Sapiro mark at msapiro.net
Fri Sep 20 19:29:31 CEST 2013


I suspect it will only be a matter of time before other lists are
attacked too, especially since they have subscribe forms on other sites.

A proper implementation would include modifying the list admin GUI to
maintain a list attribute to control this, but I don't intend to do
that.

You can patch Mailman/Cgi/listinfo.py at about line 188 and
Mailman/Cgi/subscribe.py at about line 125 as follows:

in each of those places, replace the line

    if mm_cfg.SUBSCRIBE_FORM_SECRET:

with the 5 lines

    try:
        _switch = mlist.hash_subscribe
    except AttributeError:
        _switch = False
    if mm_cfg.SUBSCRIBE_FORM_SECRET and _switch:

(if it isn't clear, the 1st, 3rd and 5th lines are indented 4 spaces and
the 2nd and 4th lines are indented 8 spaces.)

Then you can use bin/config_list with input

mlist.hash_subscribe = True

to set this for a list. Those lists for which mlist.hash_subscribe
exists and is True will require the hidden hash in the subscribe form.
Other lists will not. You silll need to set SUBSCRIBE_FORM_SECRET in
mm_cfg.py.

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1082746

Title:
  Automated processes can swamp a list with web subscription requests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions


More information about the Mailman-coders mailing list