[Mailman-Users] Moving from HTTP to HTTPS, or You'd think a core dev ...

Wed, 14 Apr 2021 22:34:58 -0700 

Hi all,

This is a little embarrassing, but I thought y'all might deserve a
heads-up.  Note, this is not a bug, except in my brain.  And maybe
yours but probably not ;-).

A couple years ago I converted my Mailman 2 site from HTTP to HTTPS.
The site is visible externally to my university, thus HTTPS, but
almost entirely used for announcements, which partly explains how I
missed this (more on that later).  I tried to release a held message
from the moderation page, and this failed repeatedly.  Eventually I
realized that I wasn't getting a response page at all.  I'm guessing
that what happened is this:

1.  I added a virtual host on :443 in my Apache server config to
    accept Mailman requests via HTTPS (the rest of the URLs are the
    same).
2.  I added a global redirect rule that returns a redirect of every
    HTTP request as an https: URL.
3.  The request for moderation action gets redirected, invalidating
    the CSRF cookie.
4.  The redirected request has an invalid cookie, which gets ignored,
    and it is discarded.

The fix is obvious: run bin/fix_url.py on all my lists.

You're allowed to laugh now, but try to not scare the fish. :-)

How I missed this, and you might too: because these are announcement
list configured to my normal usage, there's very little in the way of
web interaction on the moderation side, but list configuration works,
so I didn't notice it there.  (I caught it this time because I got
moderated due to a very large post.)  I don't understand why
moderation fails but list configuration works in my configuration (the
list configuration pages also have CSRF cookies).

If you care, ask and I'll figure it out.  I probably should figure it
out since it suggests that some CSRF cookies may persist for more than
one request, or Mailman may somehow reissue the CSRF cookie in some
circumstances.  Explanations that save me the effort appreciated! ;-)

Steve

------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
    https://mail.python.org/archives/list/mailman-users@python.org/

Reply via email to