------------------------------------------------------------
revno: 1371
fixes bug: https://launchpad.net/bugs/1082746
committer: Mark Sapiro <msap...@value.net>
branch nick: 2.1
timestamp: Sat 2012-11-24 14:44:15 -0800
message:
Implement SUBSCRIBE_FORM_SECRET to mitigate bot subscribes. (LP: 1082746)
modified:
Mailman/Cgi/listinfo.py
Mailman/Cgi/subscribe.py*
Mailman/Defaults.py.in
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py 2010-09-09 15:16:57 +0000
+++ Mailman/Cgi/listinfo.py 2012-11-24 22:44:15 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2012 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -22,6 +22,7 @@
import os
import cgi
+import time
from Mailman import mm_cfg
from Mailman import Utils
@@ -184,6 +185,19 @@
replacements['<mm-confirm-password>'] = mlist.FormatSecureBox('pw-conf')
replacements['<mm-subscribe-form-start>'] = mlist.FormatFormStart(
'subscribe')
+ if mm_cfg.SUBSCRIBE_FORM_SECRET:
+ now = str(int(time.time()))
+ replacements['<mm-subscribe-form-start>'] += (
+ '<input type="hidden" name="sub_form_token" value="%s:%s">\n'
+ % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
+ now +
+ mlist.internal_name() +
+ os.environ.get('REMOTE_HOST',
+ os.environ.get('REMOTE_ADDR',
+ 'w.x.y.z'))
+ ).hexdigest()
+ )
+ )
# Roster form substitutions
replacements['<mm-roster-form-start>'] = mlist.FormatFormStart('roster')
replacements['<mm-roster-option>'] = mlist.FormatRosterOptionForUser(lang)
=== modified file 'Mailman/Cgi/subscribe.py' (properties changed: -x to +x)
--- Mailman/Cgi/subscribe.py 2011-05-10 01:34:07 +0000
+++ Mailman/Cgi/subscribe.py 2012-11-24 22:44:15 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2012 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -20,6 +20,7 @@
import sys
import os
import cgi
+import time
import signal
from Mailman import mm_cfg
@@ -120,6 +121,23 @@
remote = os.environ.get('REMOTE_HOST',
os.environ.get('REMOTE_ADDR',
'unidentified origin'))
+ # Are we checking the hidden data?
+ if mm_cfg.SUBSCRIBE_FORM_SECRET:
+ now = int(time.time())
+ try:
+ ftime, fhash = cgidata.getvalue('sub_form_token', '').split(':')
+ then = int(ftime)
+ except ValueError:
+ ftime = fhash = ''
+ then = now
+ token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
+ ftime +
+ mlist.internal_name() +
+ remote).hexdigest()
+ if now - then > mm_cfg.FORM_LIFETIME:
+ results.append(_('The form is too old. Please GET it again.'))
+ if token != fhash:
+ results.append(_('You must GET the form before submitting it.'))
# Was an attempt made to subscribe the list to itself?
if email == mlist.GetListEmail():
syslog('mischief', 'Attempt to self subscribe %s: %s', email, remote)
=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in 2012-11-24 19:05:25 +0000
+++ Mailman/Defaults.py.in 2012-11-24 22:44:15 +0000
@@ -111,6 +111,21 @@
# Form lifetime is set against Cross Site Request Forgery.
FORM_LIFETIME = hours(1)
+# If the following is set to a non-empty string, this string in combination
+# with the time, list name and the IP address of the requestor is used to
+# create a hidden hash as part of the subscribe form on the listinfo page.
+# This hash is checked upon form submission and the subscribe fails if it
+# doesn't match. I.e. the form posted must be first retrieved from the
+# listinfo CGI by the same IP that posts it. The subscribe also fails if
+# the time the form was retrieved is more than the above FORM_LIFETIME
+# before submission.
+# Important: If you have any static subscribe forms on your web site, setting
+# this option will break them. With this option set, subscribe forms must be
+# dynamically generated to include the hidden data. See the code block
+# beginning with "if mm_cfg.SUBSCRIBE_FORM_SECRET:" in Mailman/Cgi/listinfo.py
+# for the details of the hidden data.
+SUBSCRIBE_FORM_SECRET = None
+
# Command that is used to convert text/html parts into plain text. This
# should output results to standard output. %(filename)s will contain the
# name of the temporary file that the program should operate on.
=== modified file 'NEWS'
--- NEWS 2012-11-24 19:15:54 +0000
+++ NEWS 2012-11-24 22:44:15 +0000
@@ -9,6 +9,14 @@
New Features
+ - There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put
+ a dynamically generated, hidden hash in the listinfo subscribe form and
+ check it upon submission. Setting this will prevent automated processes
+ (bots) from successfully POSTing web subscribes without first retrieving
+ and parsing the form from the listinfo page. Note that enabling this
+ will break ant static subscribe forms on your site. See the description
+ in Defaults.py for more info. (LP: 1082746)
+
- add_members now has an option to add members with mail delivery disabled
by admin. (LP: 1070574)
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
