Added roster to the CGIs that return HTTP 401 status for an authentication

failure, and return HTTP 404 status from all CGIs for an invalid list name.

11 files changed, 24 insertions, 1 deletions

diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py
index 33aec336..ef5ea1ac 100644
--- a/Mailman/Cgi/admin.py
+++ b/Mailman/Cgi/admin.py
@@ -71,6 +71,8 @@ def main():
     except Errors.MMListError, e:
         # Avoid cross-site scripting attacks
         safelistname = Utils.websafe(listname)
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         admin_overview(_('No such list <em>%(safelistname)s</em>'))
         syslog('error', 'admin.py access for non-existent list: %s',
                listname)
diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py
index e6d9c99e..f7654dc2 100644
--- a/Mailman/Cgi/admindb.py
+++ b/Mailman/Cgi/admindb.py
@@ -88,6 +88,8 @@ def main():
     except Errors.MMListError, e:
         # Avoid cross-site scripting attacks
         safelistname = Utils.websafe(listname)
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         handle_no_list(_('No such list <em>%(safelistname)s</em>'))
         syslog('error', 'No such list "%s": %s\n', listname, e)
         return
diff --git a/Mailman/Cgi/confirm.py b/Mailman/Cgi/confirm.py
index 95b33dca..8c681732 100644
--- a/Mailman/Cgi/confirm.py
+++ b/Mailman/Cgi/confirm.py
@@ -61,6 +61,8 @@ def main():
         safelistname = Utils.websafe(listname)
         bad_confirmation(doc, _('No such list <em>%(safelistname)s</em>'))
         doc.AddItem(MailmanLogo())
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         print doc.Format()
         syslog('error', 'No such list "%s": %s', listname, e)
         return
diff --git a/Mailman/Cgi/edithtml.py b/Mailman/Cgi/edithtml.py
index 0e34a1c7..5197b986 100644
--- a/Mailman/Cgi/edithtml.py
+++ b/Mailman/Cgi/edithtml.py
@@ -68,6 +68,8 @@ def main():
         # Avoid cross-site scripting attacks
         safelistname = Utils.websafe(listname)
         doc.AddItem(Header(2, _('No such list <em>%(safelistname)s</em>')))
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         print doc.Format()
         syslog('error', 'No such list "%s": %s', listname, e)
         return
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index 5b965909..3a9b52cd 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -49,6 +49,8 @@ def main():
     except Errors.MMListError, e:
         # Avoid cross-site scripting attacks
         safelistname = Utils.websafe(listname)
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         listinfo_overview(_('No such list <em>%(safelistname)s</em>'))
         syslog('error', 'No such list "%s": %s', listname, e)
         return
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index cb6c2fa2..454ac7a8 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -78,6 +78,8 @@ def main():
         doc.addError(_('No such list <em>%(safelistname)s</em>'))
         doc.AddItem('<hr>')
         doc.AddItem(MailmanLogo())
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         print doc.Format()
         syslog('error', 'No such list "%s": %s\n', listname, e)
         return
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index a92265e1..00823959 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -108,6 +108,8 @@ def main():
         msg = _('No such list <em>%(safelistname)s</em>')
         doc.SetTitle(_("Private Archive Error - %(msg)s"))
         doc.AddItem(Header(2, msg))
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         print doc.Format()
         syslog('error', 'No such list "%s": %s\n', listname, e)
         return
diff --git a/Mailman/Cgi/rmlist.py b/Mailman/Cgi/rmlist.py
index 4628f5fd..8227063c 100644
--- a/Mailman/Cgi/rmlist.py
+++ b/Mailman/Cgi/rmlist.py
@@ -68,6 +68,8 @@ def main():
                    Bold(FontAttr(title, color='#ff0000', size='+2'))))
         doc.AddItem('<hr>')
         doc.AddItem(MailmanLogo())
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         print doc.Format()
         syslog('error', 'No such list "%s": %s\n', listname, e)
         return
diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py
index 8d06777d..d31608ff 100644
--- a/Mailman/Cgi/roster.py
+++ b/Mailman/Cgi/roster.py
@@ -54,6 +54,8 @@ def main():
     except Errors.MMListError, e:
         # Avoid cross-site scripting attacks
         safelistname = Utils.websafe(listname)
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         error_page(_('No such list <em>%(safelistname)s</em>'))
         syslog('error', 'roster: no such list "%s": %s', listname, e)
         return
@@ -99,6 +101,8 @@ def main():
         realname = mlist.real_name
         doc = Document()
         doc.set_language(lang)
+        # Send this with a 401 status.
+        print 'Status: 401 Unauthorized'
         error_page_doc(doc, _('%(realname)s roster authentication failed.'))
         doc.AddItem(mlist.GetMailmanFooter())
         print doc.Format()
diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py
index 80019581..f7b03ac6 100644
--- a/Mailman/Cgi/subscribe.py
+++ b/Mailman/Cgi/subscribe.py
@@ -60,6 +60,8 @@ def main():
         safelistname = Utils.websafe(listname)
         doc.AddItem(Header(2, _("Error")))
         doc.AddItem(Bold(_('No such list <em>%(safelistname)s</em>')))
+        # Send this with a 404 status.
+        print 'Status: 404 Not Found'
         print doc.Format()
         syslog('error', 'No such list "%s": %s\n', listname, e)
         return
diff --git a/NEWS b/NEWS
index b54d4b56..f4179d4e 100644
--- a/NEWS
+++ b/NEWS
@@ -39,7 +39,8 @@ Here is a history of user visible changes to Mailman.
       subject to fail.  Bug #266572.
 
     - We now give an HTTP 401 status for authentication failures from admin,
-      admindb, private and options logins.
+      admindb, private, options and roster CGIs, and an HTTP 404 status from
+      all the CGIs for an invalid list name.
 
     - Backported the listinfo template change from the 2.2 branch to fix
       Bug #514050.