[Mailman-Users] Bug in SUBSCRIBE_FORM_SECRET feature?
Sebastian Hagedorn
Hagedorn at uni-koeln.de
Thu Dec 19 16:11:02 CET 2013
--On 18. Dezember 2013 07:04:14 -0800 Mark Sapiro <mark at msapiro.net> wrote:
> On 12/18/2013 01:27 AM, Sebastian Hagedorn wrote:
>>
>> I installed Mailman 2.1.17 last night (upgrade from 2.1.15) and decided
>> to give the SUBSCRIBE_FORM_SECRET feature a try, since we don't use
>> static subscribe forms. All seemed well, but this morning I noticed that
>> the listinfo page for some of the lists didn't work anymore. Here's an
>> example from the error log:
>>
> ...
>> admin(328): File "/usr/lib/mailman/Mailman/Cgi/listinfo.py", line 194,
>> in list_listinfo
>> admin(328): mlist.internal_name() +
>> admin(328): TypeError: unsupported operand type(s) for +: 'int' and 'str'
>
>
> It appears that you put something like
>
> SUBSCRIBE_FORM_SECRET = Yes
>
> in mm_cfg.py. If you set SUBSCRIBE_FORM_SECRET, it must be a string as
> for example:
>
> SUBSCRIBE_FORM_SECRET= 'My little SecreT'
>
> This is intended to be a string unique to your site so an attacker can't
> compute the hash needed in sub_form_token.
Thanks, that solved the problem.
Cheers
Sebastian
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
More information about the Mailman-Users
mailing list