[Mailman-Users] Bug in SUBSCRIBE_FORM_SECRET feature?
Mark Sapiro
mark at msapiro.net
Wed Dec 18 16:04:14 CET 2013
On 12/18/2013 01:27 AM, Sebastian Hagedorn wrote:
>
> I installed Mailman 2.1.17 last night (upgrade from 2.1.15) and decided
> to give the SUBSCRIBE_FORM_SECRET feature a try, since we don't use
> static subscribe forms. All seemed well, but this morning I noticed that
> the listinfo page for some of the lists didn't work anymore. Here's an
> example from the error log:
>
...
> admin(328): File "/usr/lib/mailman/Mailman/Cgi/listinfo.py", line 194,
> in list_listinfo
> admin(328): mlist.internal_name() +
> admin(328): TypeError: unsupported operand type(s) for +: 'int' and 'str'
It appears that you put something like
SUBSCRIBE_FORM_SECRET = Yes
in mm_cfg.py. If you set SUBSCRIBE_FORM_SECRET, it must be a string as
for example:
SUBSCRIBE_FORM_SECRET= 'My little SecreT'
This is intended to be a string unique to your site so an attacker can't
compute the hash needed in sub_form_token.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list