Bill Cole writes: > > So this is potentially very complicated. > > Case-squashing domain parts? Not complicated. Simple.
This is true if you are talking about following the Internet's rules. I wasn't; I was talking about equivalencing identity tokens that happen to look like email addresses. There is, of course, some constraint on Mailman's behavior in that it actually uses those tokens as email addresses to confirm identity by sending email to them. > Also simple: NEVER try to interpret or canonicalize local-parts that > exist in someone else's domain. As Mark points out, that horse left the barn decades ago. In this case apparently that is "user-friendly" (it seems that only the domain differs in case), but if some site is in fact case insensitive for local parts, the CSRF check will throw a false positive in a situation similar to the OP, but where local parts differ in some way insignificant for that domain. > You cannot programmatically determine whether 2 different > local-parts are equivalent unless you run the delivery system for > them. Yup. Which means making Mailman behave "nicely" from the user's point of view is complicated in the situation in the OP. ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/