[Mailman-Users] Somebody could not subscribe to pypy-dev at python.org

Mark Sapiro mark at msapiro.net
Wed Apr 22 23:34:00 CEST 2015


On 04/22/2015 01:34 PM, Laura Creighton wrote:
> 
> He says he got the form from https://mail.python.org/mailman/listinfo/pypy-dev
> 
> So what can corrupt the token, I wonder.  How chrome stores tokens
> and what things -- like an add blocker -- could modify or remove
> it isn't one of the things I know.  And how this fits in with 'ok
> when no password used, not ok when a password used' seems quite puzzling
> to me.


It is a stretch, but the HTML for the form tag and it's input tags look
something like

   <FORM Method=POST ACTION="../subscribe/pypy-dev"><input type="hidden"
name="sub_form_token"
value="1429735034:cebafdd44a345e440de23b4ba49d63b71439258a">

<INPUT type="Text" name="email" size="30" value="">
<INPUT type="Text" name="fullname" size="30" value="">
<INPUT type="Password" name="pw" size="15">
<INPUT type="Password" name="pw-conf" size="15">
<input type=radio name="digest" value="0" CHECKED> No
	    <input type=radio name="digest" value="1">  Yes
<INPUT type="Submit" name="email-button" value="Subscribe">
    </FORM>

It is conceivable that some browser could corrupt the sub_form_token
value upon submission if and only if the password fields are empty, but
as I say, it's a stretch.

When did this issue occur? I have looked at the web server logs back to
March 30, and every POST to mailman/subscribe/pypy-dev in those logs is
from a bot attempting to subscribe to many lists.

There is another possibility. The digits left of the colon in the token
are the Unix time of when the token was generated and the stuff to the
right is a hex digest of a sha-1 hash of the time, listname, remote IP,
and a 'secret'.

There's probably a bug here, but if the token is missing, the user gets
the 'Please take a few seconds to fill out the form before submitting
it.' message. (It would be better I think to issue the 'The form is too
old.  Please GET it again.' message in this case)

The only way the 'You must GET the form before submitting it.' message
is issued is if the time is within the 1 hour >= time >= 5 seconds
window and the hash doesn't match. This could occur if the user is
accessing the site through some kind of proxy or other device which
submits the form from a different IP than the one that got it.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list