diff options
author | Mark Sapiro <mark@msapiro.net> | 2015-04-23 17:42:33 -0700 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2015-04-23 17:42:33 -0700 |
commit | 8f7fc30bde024165d742ecae082858d80f1012b8 (patch) | |
tree | 22d4c5533e75637159ca1a5b679824920d14b85c | |
parent | baee4f8a34ab3ababaede13d00ae0467abee1f99 (diff) | |
download | mailman2-8f7fc30bde024165d742ecae082858d80f1012b8.tar.gz mailman2-8f7fc30bde024165d742ecae082858d80f1012b8.tar.xz mailman2-8f7fc30bde024165d742ecae082858d80f1012b8.zip |
If SUBSCRIBE_FORM_SECRET is enabled and a user's network has a load
balancer or similar in use the POSTing IP might not exactly match the
GETting IP. This is now accounted for by not requiring the last
octet (16 bits for ipV6) to match.
Diffstat (limited to '')
-rw-r--r-- | Mailman/Cgi/listinfo.py | 18 | ||||
-rwxr-xr-x | Mailman/Cgi/subscribe.py | 29 | ||||
-rwxr-xr-x | NEWS | 5 |
3 files changed, 40 insertions, 12 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index 8396b37d..3c04e8a7 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2014 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2015 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -187,14 +187,24 @@ def list_listinfo(mlist, lang): 'subscribe') if mm_cfg.SUBSCRIBE_FORM_SECRET: now = str(int(time.time())) + remote = os.environ.get('REMOTE_HOST', + os.environ.get('REMOTE_ADDR', + 'w.x.y.z')) + # Try to accept a range in case of load balancers, etc. (LP: #1447445) + if remote.find('.') >= 0: + # ipv4 - drop last octet + remote = remote.rsplit('.', 1)[0] + else: + # ipv6 - drop last 16 (could end with :: in which case we just + # drop one : resulting in an invalid format, but it's only + # for our hash so it doesn't matter. + remote = remote.rsplit(':', 1)[0] replacements['<mm-subscribe-form-start>'] += ( '<input type="hidden" name="sub_form_token" value="%s:%s">\n' % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + now + mlist.internal_name() + - os.environ.get('REMOTE_HOST', - os.environ.get('REMOTE_ADDR', - 'w.x.y.z')) + remote ).hexdigest() ) ) diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index a1b8434f..fff21e98 100755 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2014 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2015 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -124,23 +124,36 @@ def process_form(mlist, doc, cgidata, lang): # Are we checking the hidden data? if mm_cfg.SUBSCRIBE_FORM_SECRET: now = int(time.time()) + # Try to accept a range in case of load balancers, etc. (LP: #1447445) + if remote.find('.') >= 0: + # ipv4 - drop last octet + remote1 = remote.rsplit('.', 1)[0] + else: + # ipv6 - drop last 16 (could end with :: in which case we just + # drop one : resulting in an invalid format, but it's only + # for our hash so it doesn't matter. + remote1 = remote.rsplit(':', 1)[0] try: ftime, fhash = cgidata.getvalue('sub_form_token', '').split(':') then = int(ftime) except ValueError: ftime = fhash = '' - then = now + then = 0 token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ftime + mlist.internal_name() + - remote).hexdigest() - if now - then > mm_cfg.FORM_LIFETIME: + remote1).hexdigest() + if ftime and now - then > mm_cfg.FORM_LIFETIME: results.append(_('The form is too old. Please GET it again.')) - if now - then < mm_cfg.SUBSCRIBE_FORM_MIN_TIME: + if ftime and now - then < mm_cfg.SUBSCRIBE_FORM_MIN_TIME: + results.append( + _('Please take a few seconds to fill out the form before submitting it.')) + if ftime and token != fhash: + results.append( + _("The hidden token didn't match. Did your IP change?")) + if not ftime: results.append( - _('Please take a few seconds to fill out the form before submitting it.') - ) - if token != fhash: + _('There was no hidden token in your submission or it was corrupted.')) results.append(_('You must GET the form before submitting it.')) # Was an attempt made to subscribe the list to itself? if email == mlist.GetListEmail(): @@ -9,6 +9,11 @@ Here is a history of user visible changes to Mailman. Bug fixes and other patches + - If SUBSCRIBE_FORM_SECRET is enabled and a user's network has a load + balancer or similar in use the POSTing IP might not exactly match the + GETting IP. This is now accounted for by not requiring the last + octet (16 bits for ipV6) to match. (LP: #1447445) + - DKIM-Signature:, DomainKey-Signature: and Authentication-Results: headers are now removed by default from posts to anonymous lists. (LP: #1444673) |