------------------------------------------------------------
revno: 1430
fixes bug: https://launchpad.net/bugs/1246039
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Tue 2013-10-29 13:24:47 -0700
message:
Implemented whitelist for headers to keep for anonymous lists.
modified:
Mailman/Defaults.py.in
Mailman/Handlers/Cleanse.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in 2013-09-28 23:08:15 +0000
+++ Mailman/Defaults.py.in 2013-10-29 20:24:47 +0000
@@ -983,6 +983,27 @@
MEMBER_PASSWORD_LENGTH = 8
ADMIN_PASSWORD_LENGTH = 10
+# The following headers are always removed from posts to anonymous lists as
+# they can reveal the identity of the poster or at least the poster's domain.
+#
+# From:, Reply-To:, Sender:, Return-Path:, X-Originating-Email:, Received:,
+# Message-ID: and X-Envelope-From:.
+#
+# In addition, Return-Receipt-To:, Disposition-Notification-To:,
+# X-Confirm-Reading-To: and X-Pmrqc: headers are removed from all posts as
+# they can be used to fish for list membership in addition to possibly
+# revealing sender information.
+#
+# In addition to the above removals, all other headers except those matching
+# regular expressions in the following setting are also removed. The default
+# setting below keeps all non X- headers, those X- headers added by Mailman
+# and any X-Spam- headers.
+ANONYMOUS_LIST_KEEP_HEADERS = ['^(?!x-)', '^x-mailman-',
+ '^x-content-filtered-by:', '^x-topics:',
+ '^x-ack:', '^x-beenthere:',
+ '^x-list-administrivia:', '^x-spam-',
+ ]
+
�
#####
=== modified file 'Mailman/Handlers/Cleanse.py'
--- Mailman/Handlers/Cleanse.py 2013-09-27 23:33:35 +0000
+++ Mailman/Handlers/Cleanse.py 2013-10-29 20:24:47 +0000
@@ -26,6 +26,25 @@
from Mailman.Logging.Syslog import syslog
from Mailman.Handlers.CookHeaders import uheader
+cres = []
+for regexp in mm_cfg.ANONYMOUS_LIST_KEEP_HEADERS:
+ try:
+ cres.append(re.compile(regexp, re.IGNORECASE))
+ except re.error, e:
+ syslog('error',
+ 'ANONYMOUS_LIST_KEEP_HEADERS: ignored bad regexp %s: %s',
+ regexp, e)
+
+def remove_nonkeepers(msg):
+ for hdr in msg.keys():
+ keep = False
+ for cre in cres:
+ if cre.search(hdr):
+ keep = True
+ break
+ if not keep:
+ del msg[hdr]
+
def process(mlist, msg, msgdata):
# Always remove this header from any outgoing messages. Be sure to do
@@ -54,6 +73,10 @@
# And so can the message-id so replace it.
del msg['message-id']
msg['Message-ID'] = unique_message_id(mlist)
+ # And something sets this
+ del msg['x-envelope-from']
+ # And now remove all but the keepers.
+ remove_nonkeepers(msg)
i18ndesc = str(uheader(mlist, mlist.description, 'From'))
msg['From'] = formataddr((i18ndesc, mlist.GetListEmail()))
msg['Reply-To'] = mlist.GetListEmail()
=== modified file 'NEWS'
--- NEWS 2013-10-22 18:16:35 +0000
+++ NEWS 2013-10-29 20:24:47 +0000
@@ -7,6 +7,16 @@
2.1.17 (xx-xxx-xxxx)
+ New Features
+
+ - There is a new mm_cfg.py setting ANONYMOUS_LIST_KEEP_HEADERS. Since it
+ is not possible to know which non-standard headers in a message might
+ reveal sender information, we now remove all headers from incoming posts
+ to anonymous lists except those which match regular expressions in this
+ list. The default setting keeps non X- headers except those known to
+ reveal sender information, Mailman added X- headers and x-Spam- headers.
+ See the description in Defaults.py for more information. (LP: #1246039)
+
Bug Fixes and other patches
- Fixed a possible UnicodeDecodeError in bin/sync_members. (LP: #1243343)
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
