[Mailman-Users] Sanitizer settings on a per-list basis
I know about setting the Scrubber/santizer settings in mm_cfg.py as per this FAQ entry: http://www.python.org/cgi-bin/faqw-mm.py?req=editfile=faq04.037.htp But is there a way to make it apply on a per-list basis rather than server-wide? -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Sanitizer settings on a per-list basis
Matt Cohen wrote: I know about setting the Scrubber/santizer settings in mm_cfg.py as per this FAQ entry: http://www.python.org/cgi-bin/faqw-mm.py?req=editfile=faq04.037.htp But is there a way to make it apply on a per-list basis rather than server-wide? No there isn't. The reason for this is that this allows cross site scripting (XSS) atacks against the entire server by archiving potentially malicious HTML. This is a server-wide vulnerability so it should be up to the server administrators to enable it. We could treat the option differently, as for example we do with OWNERS_CAN_ENABLE_PERSONALIZATION, but since we highly discourage this option anyway, no one has made the effort to implement this. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Sanitizer settings
So I'm still not sure why SANITIZER doesn't seem to have any effect. All I want is for list messages not to have HTML attachments every time they include a bit of formatting. Is my method below wrong? Is there another way to achieve this? Thanks, Scot Scot Hacker wrote: A user is asking why HTML messages are ending up with attachments (which their organization is bouncing back to them since it doesn't allow HTML attachments). I found this in Defaults.py ARCHIVE_HTML_SANITIZER = 1 The comments there say: # 2 - Leave it inline, but HTML-escape it I added this to mm_cfg.py. Then I changed the 1 to 2, but it doesn't seem to have any effect. Formatted messages still come through with attachments, and when I view source on a message, the HTML does not appear to be escaped. Ran mailmanctl restart, but no difference. How can I make formatted messages appear inline without attachments? Thanks, Scot -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/shacker%40birdhouse.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Sanitizer settings
On May 12, 2005, at 16:03, Scot Hacker wrote: A user is asking why HTML messages are ending up with attachments (which their organization is bouncing back to them since it doesn't allow HTML attachments). What is in the attachments? (Do you have a list footer added to messages passing through your Mailman? Some users will describe the footer as an attachment to an HTML or multipart/alternative message. Make the footer empty.) http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq04.039.htp I found this in Defaults.py ARCHIVE_HTML_SANITIZER = 1 The comments there say: # 2 - Leave it inline, but HTML-escape it I added this to mm_cfg.py. Then I changed the 1 to 2, but it doesn't seem to have any effect. Formatted messages still come through with attachments, This setting affects what goes into your list archives. So I'm still not sure why SANITIZER doesn't seem to have any effect. All I want is for list messages not to have HTML attachments every time they include a bit of formatting. Is my method below wrong? Is there another way to achieve this? If you are using Mailman's content filtering, double check your MIME type filtering and html/text conversion rules on the Content filtering web page for your list. -- Jim Tittsler http://www.OnJapan.net/ GPG: 0x01159DB6 Python Starship http://Starship.Python.net/crew/jwt/ Mailman IRC irc://irc.freenode.net/#mailman -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Sanitizer settings
Jim Tittsler wrote: On May 12, 2005, at 16:03, Scot Hacker wrote: A user is asking why HTML messages are ending up with attachments (which their organization is bouncing back to them since it doesn't allow HTML attachments). What is in the attachments? (Do you have a list footer added to messages passing through your Mailman? Some users will describe the footer as an attachment to an HTML or multipart/alternative message. Make the footer empty.) http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq04.039.htp Ah... thanks very much for the clue. Yep, disabling the footer fixes the issue (although we're then left without a footer). Interesting FAQ. Somehow, this was not happening when the lists were running through CommuniGate Pro; I'm not sure how that MTA solves the problem. But at least this is a possible solution for Mailman, so thanks. If you are using Mailman's content filtering, double check your MIME type filtering and html/text conversion rules on the Content filtering web page for your list. No, we're not using Content Filtering for these lists. Scot -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Sanitizer settings
A user is asking why HTML messages are ending up with attachments (which their organization is bouncing back to them since it doesn't allow HTML attachments). I found this in Defaults.py ARCHIVE_HTML_SANITIZER = 1 The comments there say: # 2 - Leave it inline, but HTML-escape it I added this to mm_cfg.py. Then I changed the 1 to 2, but it doesn't seem to have any effect. Formatted messages still come through with attachments, and when I view source on a message, the HTML does not appear to be escaped. Ran mailmanctl restart, but no difference. How can I make formatted messages appear inline without attachments? Thanks, Scot -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp