[Bug 1429366] [NEW] Anatomy of list ids does not keep with that of urls causes some REST end points to return 404 always

Ankush Sharma ankprashar at gmail.com
Sat Mar 7 11:10:37 CET 2015


Public bug reported:

The hash(#) is a valid character as far as the local part of the email addresses is concerned. So, as the mailing list addresses are email addresses too, we can use # in the list names too. And, in context with mailman it works well. We can create a list with  list_id sam#hashed.host.org for the address sam#hashed at host.org . This works fine. But it makes the list_id to contain the hash character and therefore the REST endpoint for retrieving list wise info becomes invalid, i.e :
  
<api-root>/lists/sam#hashed.host.org

Because in an URL the stuff after # is treated as document starting point i.e an id identifier or something of a dom element. This is not a valid PATH for the server. Therefore the falcon wsgi request object does not contain information of that and the req.path simply returns sam as the list_id ( http://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/rest/wsgiapp.py#L65 ) giving a 404 because there is no any list with list id sam.
The mailman client works fine, it sends a GET to <api-root>lists/sam#hashed.host.org. 

This causes the REST end points which needs list_id to return 404 or in worse we can have a list_id clash between ids sam#XXXXX and sam. Further more if the list_id starts with a # character then the server finds list_id to be empty string and therefore we get a KEY ERROR because fqdn_listname is not set too. The bug highly effects postorius too. The lists index template at /postorius/lists/ cannot be rendered as it uses the former REST endpoint and again a 404 is given. And, until we delete this list from the database, we cann't do anything except of getting a 404 and KEY ERROR each time.
As far as security is concerned, if an another user created a public list using a hash character, then public list indexing would also fail.

** Affects: mailman
     Importance: Undecided
         Status: New


** Tags: mailman3 postorius

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1429366

Title:
  Anatomy of list ids does not keep with that of urls causes some REST
  end points to return 404 always

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1429366/+subscriptions


More information about the Mailman-coders mailing list