Perry E. Metzger writes: > > Note the *in a server-side CGI*. AFAICS, we're done: we're safe. > > You're misinterpreting. The issue is that some server side systems > also use web APIs of various kinds. > > > Mailman (as we distribute it) doesn't make *outgoing* HTTP > > connections, it sends responses to incoming requests. > > So that makes it invulnerable, yes.
Note that in my post, my three sentences above were one paragraph. So I wasn't misinterpreting after all. I know you're trying to help, but this is just FUD. The same is true for the WGSI applications. "Pure" WSGI applications like Postorius and HyperKitty don't use CGIhandler. > What I meant was that you can do things on the web server side like > altering your handling of http_proxy (which is what I did on my web > servers as soon as this came out). Sure, but that is covered by Mark's point that it's the rest of the webserver configuration that site admins should worry about. If you want to do people a favor, explain the necessary configuration magic for the webservers you use. That will protect them, both Mailman from the vanishing probability that there's something in Mailman that makes HTTP requests that we don't know about, as well as any other CGI applications that they happen to run. ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
