[Mailman-Users] Re: Handling non-members in Cgi/options.py
Mark Sapiro writes: > On 2/22/22 10:00, Mark Sapiro wrote: > > On 2/22/22 05:56, Stephen J. Turnbull wrote: > >> I think in both cases you can return the login page with the address > >> filled in. > > > > You are correct and it's trivial to do. I will fix it. > > Fixed at > https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1888 Nice! That makes a rough day a little bit nicer. :-) Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
On 2/22/22 10:00, Mark Sapiro wrote: On 2/22/22 05:56, Stephen J. Turnbull wrote: I think in both cases you can return the login page with the address filled in. Not sure if this would be easy to do in the code, but I think this would satisfy both the "minimum effort for user" criterion and the "don't reveal subscription status" criterion, unless I misunderstand the scenario. You are correct and it's trivial to do. I will fix it. Fixed at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1888 -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
On 2/22/22 05:56, Stephen J. Turnbull wrote: Mark Sapiro writes: > There is still a subtle difference in that if the address given is > a member, the login page asks only for a password, but if it's not > a member login page asks for both and address and a password, but I > think that's the best that can be done. I think in both cases you can return the login page with the address filled in. Not sure if this would be easy to do in the code, but I think this would satisfy both the "minimum effort for user" criterion and the "don't reveal subscription status" criterion, unless I misunderstand the scenario. You are correct and it's trivial to do. I will fix it. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
Mark Sapiro writes: > There is still a subtle difference in that if the address given is > a member, the login page asks only for a password, but if it's not > a member login page asks for both and address and a password, but I > think that's the best that can be done. I think in both cases you can return the login page with the address filled in. Not sure if this would be easy to do in the code, but I think this would satisfy both the "minimum effort for user" criterion and the "don't reveal subscription status" criterion, unless I misunderstand the scenario. Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
Thank you for the fix. I've tested it and it's working here. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
On 2/21/22 13:08, David Siebörger wrote:
It seems to me that the logic in this change is not correct:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1881
For lists with private_roster > 0, when the user has entered a email address
which is not subscribed to that list, the return is taken without having printed a
response. In my environment, Apache httpd then sends a 500 Internal Server Error
to the browser. While not saying so in so many words, this behaviour does subtly
disclose that the email address is not subscribed. The only privacy-preserving
way to proceed would be for Mailman to pretend that the user is subscribed, which
is what happened prior to this revision.
I have reported this at https://bugs.launchpad.net/mailman/+bug/1961762
Unfortunately I can't just revert this change. Other necessary changes
result in https://bugs.launchpad.net/mailman/+bug/1951769 without this
change. The best I can do is this:
```
if not mlist.isMember(user):
if mlist.private_roster == 0:
doc.addError(_('No such member: %(safeuser)s.'))
loginpage(mlist, doc, None, language)
print doc.Format()
return
```
Which will return the login page. This will avoid the 500 Internal
Server Error, and in the case where one is coming from the listinfo
page, will just display the login page. There is still a subtle
difference in that if the address given is a member, the login page asks
only for a password, but if it's not a member login page asks for both
and address and a password, but I think that's the best that can be done.
I have committed this change at
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1887
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
