------------------------------------------------------------
revno: 1373
fixes bug: https://launchpad.net/bugs/1082746
committer: Mark Sapiro <msap...@value.net>
branch nick: 2.1
timestamp: Fri 2012-12-14 20:37:33 -0800
message:
Added a minimum delay between retrieval and submission of the subscribe form.
modified:
Mailman/Cgi/subscribe.py
Mailman/Defaults.py.in
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py 2012-11-24 22:44:15 +0000
+++ Mailman/Cgi/subscribe.py 2012-12-15 04:37:33 +0000
@@ -136,6 +136,10 @@
remote).hexdigest()
if now - then > mm_cfg.FORM_LIFETIME:
results.append(_('The form is too old. Please GET it again.'))
+ if now - then < mm_cfg.SUBSCRIBE_FORM_MIN_TIME:
+ results.append(
+ _('Please take a few seconds to fill out the form before submitting it.')
+ )
if token != fhash:
results.append(_('You must GET the form before submitting it.'))
# Was an attempt made to subscribe the list to itself?
=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in 2012-11-24 22:44:15 +0000
+++ Mailman/Defaults.py.in 2012-12-15 04:37:33 +0000
@@ -117,8 +117,8 @@
# This hash is checked upon form submission and the subscribe fails if it
# doesn't match. I.e. the form posted must be first retrieved from the
# listinfo CGI by the same IP that posts it. The subscribe also fails if
-# the time the form was retrieved is more than the above FORM_LIFETIME
-# before submission.
+# the time the form was retrieved is more than the above FORM_LIFETIME or less
+# than the below SUBSCRIBE_FORM_MIN_TIME before submission.
# Important: If you have any static subscribe forms on your web site, setting
# this option will break them. With this option set, subscribe forms must be
# dynamically generated to include the hidden data. See the code block
@@ -126,6 +126,11 @@
# for the details of the hidden data.
SUBSCRIBE_FORM_SECRET = None
+# If SUBSCRIBE_FORM_SECRET is not None, this is the minimum time the user must
+# take after retrieving the form before submitting it. Set to 0 to skip this
+# test.
+SUBSCRIBE_FORM_MIN_TIME = seconds(5)
+
# Command that is used to convert text/html parts into plain text. This
# should output results to standard output. %(filename)s will contain the
# name of the temporary file that the program should operate on.
=== modified file 'NEWS'
--- NEWS 2012-11-25 00:48:13 +0000
+++ NEWS 2012-12-15 04:37:33 +0000
@@ -13,9 +13,11 @@
a dynamically generated, hidden hash in the listinfo subscribe form and
check it upon submission. Setting this will prevent automated processes
(bots) from successfully POSTing web subscribes without first retrieving
- and parsing the form from the listinfo page. Note that enabling this
- will break ant static subscribe forms on your site. See the description
- in Defaults.py for more info. (LP: 1082746)
+ and parsing the form from the listinfo page. The form must also be
+ submitted no later than FORM_LIFETIME nor no earlier than
+ SUBSCRIBE_FORM_MIN_TIME after retrieval. Note that enabling this will
+ break any static subscribe forms on your site. See the description in
+ Defaults.py for more info. (LP: 1082746)
- add_members now has an option to add members with mail delivery disabled
by admin. (LP: 1070574)
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
