[Bug 1429366] [NEW] Anatomy of list ids does not keep with that of urls causes some REST end points to return 404 always

Ankush Sharma ankprashar at gmail.com
Sat Mar 7 11:10:37 CET 2015

Public bug reported:

The hash(#) is a valid character as far as the local part of the email addresses is concerned. So, as the mailing list addresses are email addresses too, we can use # in the list names too. And, in context with mailman it works well. We can create a list with  list_id sam#hashed.host.org for the address sam#hashed at host.org . This works fine. But it makes the list_id to contain the hash character and therefore the REST endpoint for retrieving list wise info becomes invalid, i.e :

Because in an URL the stuff after # is treated as document starting point i.e an id identifier or something of a dom element. This is not a valid PATH for the server. Therefore the falcon wsgi request object does not contain information of that and the req.path simply returns sam as the list_id ( http://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/rest/wsgiapp.py#L65 ) giving a 404 because there is no any list with list id sam.
The mailman client works fine, it sends a GET to <api-root>lists/sam#hashed.host.org. 

This causes the REST end points which needs list_id to return 404 or in worse we can have a list_id clash between ids sam#XXXXX and sam. Further more if the list_id starts with a # character then the server finds list_id to be empty string and therefore we get a KEY ERROR because fqdn_listname is not set too. The bug highly effects postorius too. The lists index template at /postorius/lists/ cannot be rendered as it uses the former REST endpoint and again a 404 is given. And, until we delete this list from the database, we cann't do anything except of getting a 404 and KEY ERROR each time.
As far as security is concerned, if an another user created a public list using a hash character, then public list indexing would also fail.

** Affects: mailman
     Importance: Undecided
         Status: New

** Tags: mailman3 postorius

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Anatomy of list ids does not keep with that of urls causes some REST
  end points to return 404 always

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list