[Mailman-Users] Bug in SUBSCRIBE_FORM_SECRET feature?

Mark Sapiro mark at msapiro.net
Wed Dec 18 16:04:14 CET 2013


On 12/18/2013 01:27 AM, Sebastian Hagedorn wrote:
> 
> I installed Mailman 2.1.17 last night (upgrade from 2.1.15) and decided
> to give the SUBSCRIBE_FORM_SECRET feature a try, since we don't use
> static subscribe forms. All seemed well, but this morning I noticed that
> the listinfo page for some of the lists didn't work anymore. Here's an
> example from the error log:
> 
...
> admin(328):   File "/usr/lib/mailman/Mailman/Cgi/listinfo.py", line 194,
> in list_listinfo
> admin(328):     mlist.internal_name() +
> admin(328): TypeError: unsupported operand type(s) for +: 'int' and 'str'


It appears that you put something like

SUBSCRIBE_FORM_SECRET = Yes

in mm_cfg.py. If you set SUBSCRIBE_FORM_SECRET, it must be a string as
for example:

SUBSCRIBE_FORM_SECRET= 'My little SecreT'

This is intended to be a string unique to your site so an attacker can't
compute the hash needed in sub_form_token.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list