[Mailman-Developers] [gorgo@caesar.elte.hu: Re: [Mailman-Developers] URGENT!!!! security problems]

Scott scott@chronis.icgroup.com
Sat, 25 Jul 1998 13:09:57 -0400


-----Forwarded message from Gergely Madarasz <gorgo@caesar.elte.hu>-----

Found the problem. ValidEmail is called only from AddMember, not from
ApprovedAddMember. So the listowner can subscribe invalid addresses.

--------------------

mmm... something must not have made it's way into the patches for
1.0b4.  my working copy has ValidEmail called in ApprovedAddMember but
1.0b4 does not.  don't know if that was my fault or not, but i think
adding a ValidEmail call to ApprovedAddMember is the right way to go:
it should be harmless when ApprovedAddMember is called from the
mail_cmd interface since it's already been called in AddMember, and it
does fix the security problem.

scott