[Mailman-Users] Re: Handling non-members in Cgi/options.py
Mark Sapiro writes: > On 2/22/22 10:00, Mark Sapiro wrote: > > On 2/22/22 05:56, Stephen J. Turnbull wrote: > >> I think in both cases you can return the login page with the address > >> filled in. > > > > You are correct and it's trivial to do. I will fix it. > > Fixed at > https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1888 Nice! That makes a rough day a little bit nicer. :-) Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
On 2/22/22 10:00, Mark Sapiro wrote: On 2/22/22 05:56, Stephen J. Turnbull wrote: I think in both cases you can return the login page with the address filled in. Not sure if this would be easy to do in the code, but I think this would satisfy both the "minimum effort for user" criterion and the "don't reveal subscription status" criterion, unless I misunderstand the scenario. You are correct and it's trivial to do. I will fix it. Fixed at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1888 -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
On 2/22/22 05:56, Stephen J. Turnbull wrote: Mark Sapiro writes: > There is still a subtle difference in that if the address given is > a member, the login page asks only for a password, but if it's not > a member login page asks for both and address and a password, but I > think that's the best that can be done. I think in both cases you can return the login page with the address filled in. Not sure if this would be easy to do in the code, but I think this would satisfy both the "minimum effort for user" criterion and the "don't reveal subscription status" criterion, unless I misunderstand the scenario. You are correct and it's trivial to do. I will fix it. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
Mark Sapiro writes: > There is still a subtle difference in that if the address given is > a member, the login page asks only for a password, but if it's not > a member login page asks for both and address and a password, but I > think that's the best that can be done. I think in both cases you can return the login page with the address filled in. Not sure if this would be easy to do in the code, but I think this would satisfy both the "minimum effort for user" criterion and the "don't reveal subscription status" criterion, unless I misunderstand the scenario. Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
Thank you for the fix. I've tested it and it's working here. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: Handling non-members in Cgi/options.py
On 2/21/22 13:08, David Siebörger wrote: It seems to me that the logic in this change is not correct: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1881 For lists with private_roster > 0, when the user has entered a email address which is not subscribed to that list, the return is taken without having printed a response. In my environment, Apache httpd then sends a 500 Internal Server Error to the browser. While not saying so in so many words, this behaviour does subtly disclose that the email address is not subscribed. The only privacy-preserving way to proceed would be for Mailman to pretend that the user is subscribed, which is what happened prior to this revision. I have reported this at https://bugs.launchpad.net/mailman/+bug/1961762 Unfortunately I can't just revert this change. Other necessary changes result in https://bugs.launchpad.net/mailman/+bug/1951769 without this change. The best I can do is this: ``` if not mlist.isMember(user): if mlist.private_roster == 0: doc.addError(_('No such member: %(safeuser)s.')) loginpage(mlist, doc, None, language) print doc.Format() return ``` Which will return the login page. This will avoid the 500 Internal Server Error, and in the case where one is coming from the listinfo page, will just display the login page. There is still a subtle difference in that if the address given is a member, the login page asks only for a password, but if it's not a member login page asks for both and address and a password, but I think that's the best that can be done. I have committed this change at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1887 -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/