I suspect it will only be a matter of time before other lists are
attacked too, especially since they have subscribe forms on other sites.
A proper implementation would include modifying the list admin GUI to
maintain a list attribute to control this, but I don't intend to do
that.
You can patch Mailman/Cgi/listinfo.py at about line 188 and
Mailman/Cgi/subscribe.py at about line 125 as follows:
in each of those places, replace the line
if mm_cfg.SUBSCRIBE_FORM_SECRET:
with the 5 lines
try:
_switch = mlist.hash_subscribe
except AttributeError:
_switch = False
if mm_cfg.SUBSCRIBE_FORM_SECRET and _switch:
(if it isn't clear, the 1st, 3rd and 5th lines are indented 4 spaces and
the 2nd and 4th lines are indented 8 spaces.)
Then you can use bin/config_list with input
mlist.hash_subscribe = True
to set this for a list. Those lists for which mlist.hash_subscribe
exists and is True will require the hidden hash in the subscribe form.
Other lists will not. You silll need to set SUBSCRIBE_FORM_SECRET in
mm_cfg.py.
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1082746
Title:
Automated processes can swamp a list with web subscription requests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1082746/+subscriptions
_______________________________________________
Mailman-coders mailing list
[email protected]
https://mail.python.org/mailman/listinfo/mailman-coders
