[Mailman-Developers] 1030228 Mass Subscribe address with controlcharacter- can't delete

Mark Sapiro msapiro at value.net
Mon Sep 20 02:56:35 CEST 2004


Tokio Kikuchi wrote:

>Hi,
>
>Mark Sapiro wrote:
>
>> Thus, it would seem as a practical matter, Mailman should not accept
>> for subscription any address containing any characters in the ranges
>> \000-\037 and \177-\377. Thus I suggest the following, totally
>> untested change:
>> 
>> --- mailman-2.1.5/Mailman/Utils.py      2003-12-26 14:50:04.000000000
>> -0800
>> +++ mailman-mas/Mailman/Utils.py        2004-09-19 12:49:30.000000000
>> -0700
>> @@ -198,7 +198,7 @@
>> 
>> 
>>  # TBD: what other characters should be disallowed?
>> -_badchars = re.compile(r'[][()<>|;^,/\200-\377]')
>> +_badchars = re.compile(r'[][()<>|;^,/\000-\037\177-\377]')
>> 
>>  def ValidateEmail(s):
>>      """Verify that the an email address isn't grossly evil."""
>
>This patch looks reasonable and will be merged in CVS soon. Also, I
>wonder if '/' should be removed from this list. It is X.400 char
>and long have been asked for allowing. My test with postfix looks
>like to accept at least in aliases and testing with mailman options
>interface looks OK. (although a little bit uneasy because mailman cgi
>separates command options with '/' character.)
>

I would be more than a bit uneasy about removing the '/' from this list
for just that reason. Removing it would allow an address with a '/' to
be subscribed or at least to pass this test before being subscribed.

The problem that comes immediately to mind is what happens to the links
to the user's options page which are of the form
http://server/mailman/options/listname/user--at--domain or
http://server/mailman/options/listname/user@domain when user contains
a '/'?

My gut feeling is that allowing the '/' would involve a lot more work
than just removing it from the _badchars list.

--
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the Mailman-Developers mailing list