[Mailman-Users] Re: Handling non-members in Cgi/options.py

Tue, 22 Feb 2022 02:55:50 -0800 

On 2/21/22 13:08, David Siebörger wrote:

It seems to me that the logic in this change is not correct:

https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1881

For lists with private_roster > 0, when the user has entered a email address 
which is not subscribed to that list, the return is taken without having printed a 
response.  In my environment, Apache httpd then sends a 500 Internal Server Error 
to the browser.  While not saying so in so many words, this behaviour does subtly 
disclose that the email address is not subscribed.  The only privacy-preserving 
way to proceed would be for Mailman to pretend that the user is subscribed, which 
is what happened prior to this revision.


I have reported this at https://bugs.launchpad.net/mailman/+bug/1961762
Unfortunately I can't just revert this change. Other necessary changes result in https://bugs.launchpad.net/mailman/+bug/1951769 without this change. The best I can do is this: 
```
    if not mlist.isMember(user):
        if mlist.private_roster == 0:
            doc.addError(_('No such member: %(safeuser)s.'))
        loginpage(mlist, doc, None, language)
        print doc.Format()
        return
```
Which will return the login page. This will avoid the 500 Internal Server Error, and in the case where one is coming from the listinfo page, will just display the login page. There is still a subtle difference in that if the address given is a member, the login page asks only for a password, but if it's not a member login page asks for both and address and a password, but I think that's the best that can be done.
I have committed this change at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1887 

--
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

Reply via email to