[Mailman-Users] mailman loops because of & in an address

Barry A. Warsaw barry at zope.com
Fri Apr 26 18:16:46 CEST 2002

>>>>> "AS" == Antenna Support <support at antenna.nl> writes:

    AS> We just experienced a loop: a message was sent many times
    AS> because it wasn't deleted in the /home/mailman/qfiles
    AS> directory The error mailed was:

    AS> /usr/bin/python -S /home/mailman/cron/qrunner

    | sh: c.lovell at xtra.co.nz: command not found
    | c... User unknown

    | It appeared that there was an address added to the list:
    | m&c.lovell at xtra.co.nz

    AS> The loop could only be stopped by removing the .msg and .db
    AS> file in the qfiles directory. I also removed this address from
    AS> the subscribers.

    AS> Is there anything I can do to prevent this from happening
    AS> again?

Don't use the Sendmail.py DELIVERY_MODULE.  It goes through the shell,
and its input is not properly escaped.  For the same reason,
Sendmail.py is a security problem.

Mailman itself can handle addresses with &'s in them just fine (and I
believe they're legal as per RFC 2822).  Use the SMTPDirect.py
delivery module and you should be fine.


More information about the Mailman-Users mailing list