On 4/22/15 3:11 PM, Laura Creighton wrote: > In a message of Wed, 22 Apr 2015 14:34:00 -0700, Mark Sapiro > writes: >> >> It is conceivable that some browser could corrupt the >> sub_form_token value upon submission if and only if the password >> fields are empty, but as I say, it's a stretch. > > And this is upside-down from his experience. Things go _fine_ > when the password fields are empty, it is just when he fills them > out that things did not work.
My mistake. I meant non-empty. And as far as "things go fine", I suspect it's really "things went fine once and the password fields happened to be empty that one time". >> When did this issue occur? I have looked at the web server logs >> back to March 30, and every POST to mailman/subscribe/pypy-dev in >> those logs is from a bot attempting to subscribe to many lists. > > Yesterday. At Tue, 21 Apr 2015 18:05:56 -0000 he sent a mail to > pypy-dev-owner (me) complaining about his problem and asking if we > could fix it, so sometime before but close to then I would guess. Yes. I saw the dates in the email, and as I say, I looked at the server logs all the way back to March 30 and I see no evidence of a successful subscribe to pypy-dev and all the unsuccessful ones appear to be just the kind of bot activity we are trying to thwart. >> The only way the 'You must GET the form before submitting it.' >> message is issued is if the time is within the 1 hour >= time >= >> 5 seconds window and the hash doesn't match. This could occur if >> the user is accessing the site through some kind of proxy or >> other device which submits the form from a different IP than the >> one that got it. > > I will ask about this. He is using stock chrome with no > adblocking plugins -- no plugins at all, as this is a new machine > and he hasn't got around to installing anything yet. It wouldn't be his machine. It would be something between his machine and mail.python.org. Perhaps some kind of load balancer or other device which submits each separate http request from one of a pool of IP addresses. Thus, the subscribe only works if whatever it is uses the same IP for both the GET and POST and the presence/absence of a password is just a coincidence. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California Better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
