[Bug 1447445] [NEW] Web subscribe can fail in cases of load balancers or other devices.

Mark Sapiro mark at msapiro.net
Thu Apr 23 06:39:32 CEST 2015


Public bug reported:

The fix for (LP: #1082746) implemented a SUBSCRIBE_FORM_SECRET feature.
If this is enabled by a site, the subscribe form on the listinfo page
contains a hidden input field which includes a hash of various data
including the IP address that the GET of the listinfo came from. Upon
submission of the form, this hash is recomputed using the IP address
that the POST of the form came from, and if the hashes don't match, the
subscribe fails.

This can cause legitimate subscribes to fail if the user is connected
via a load balancer or other device which submits http(s) requests using
a possibly different IP for each request.

** Affects: mailman
     Importance: Medium
     Assignee: Mark Sapiro (msapiro)
         Status: In Progress

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1447445

Title:
  Web subscribe can fail in cases of load balancers or other devices.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1447445/+subscriptions


More information about the Mailman-coders mailing list