[Mailman-Users] CSRF prevention in mailman3

Barry Warsaw barry at list.org
Mon Jan 30 18:13:42 CET 2012

On Jan 29, 2012, at 06:57 PM, Anil Jangity wrote:

>Will mailman3 have any security measures in the form submissions to prevent
>CSRF?  http://en.wikipedia.org/wiki/Cross-site_request_forgery

Mailman 3 has quite a different architecture than Mailman 2.  Specifically,
the web UI is a separate project from the core engine, and the two talk to
each other over REST+JSON.

The impact of this on the above question is two part.  First, yes there is an
official web UI being developed in Django.  Florian Fuchs and Terri Oda are
leading that work, and we will be sprinting on integration of this with the
core at Pycon 2012.  Everybody is welcome to join us of course, but please do
sign up here if you are going to attend:


What this means is that CSRFs and other exploits must be addressed within the
context of Django, but none of the web vulnerabilities that still exist in the
MM2 web UI (if any) will have any impact on this.  I do suggest contacting
mailman-security at list.org if you have any known issues.  Mark has been
fantastic at fixing these when they're brought to our attention.

The second part of the story is that with Mailman 3, you aren't limited to the
official Django-based web UI.  Anything that speaks HTTP and JSON (or iow, the
whole freakin' web :) can be integrated with the core engine.  So if you have
your own web site, or want to build a web UI from PHP, you can integrate it
with the core engine just as easily as the official Django web UI.  We're not
using any hidden, magical, or special APIs to do this, so anything we can do,
you can do.

We welcome further discussion and participation, but
mailman-developers at python.org is the better mailing list to use for that.


More information about the Mailman-Users mailing list