aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2015-04-23 17:42:33 -0700
committerMark Sapiro <mark@msapiro.net>2015-04-23 17:42:33 -0700
commit8f7fc30bde024165d742ecae082858d80f1012b8 (patch)
tree22d4c5533e75637159ca1a5b679824920d14b85c
parentbaee4f8a34ab3ababaede13d00ae0467abee1f99 (diff)
downloadmailman2-8f7fc30bde024165d742ecae082858d80f1012b8.tar.gz
mailman2-8f7fc30bde024165d742ecae082858d80f1012b8.tar.xz
mailman2-8f7fc30bde024165d742ecae082858d80f1012b8.zip
If SUBSCRIBE_FORM_SECRET is enabled and a user's network has a load
balancer or similar in use the POSTing IP might not exactly match the GETting IP. This is now accounted for by not requiring the last octet (16 bits for ipV6) to match.
Diffstat (limited to '')
-rw-r--r--Mailman/Cgi/listinfo.py18
-rwxr-xr-xMailman/Cgi/subscribe.py29
-rwxr-xr-xNEWS5
3 files changed, 40 insertions, 12 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index 8396b37d..3c04e8a7 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2014 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -187,14 +187,24 @@ def list_listinfo(mlist, lang):
'subscribe')
if mm_cfg.SUBSCRIBE_FORM_SECRET:
now = str(int(time.time()))
+ remote = os.environ.get('REMOTE_HOST',
+ os.environ.get('REMOTE_ADDR',
+ 'w.x.y.z'))
+ # Try to accept a range in case of load balancers, etc. (LP: #1447445)
+ if remote.find('.') >= 0:
+ # ipv4 - drop last octet
+ remote = remote.rsplit('.', 1)[0]
+ else:
+ # ipv6 - drop last 16 (could end with :: in which case we just
+ # drop one : resulting in an invalid format, but it's only
+ # for our hash so it doesn't matter.
+ remote = remote.rsplit(':', 1)[0]
replacements['<mm-subscribe-form-start>'] += (
'<input type="hidden" name="sub_form_token" value="%s:%s">\n'
% (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
now +
mlist.internal_name() +
- os.environ.get('REMOTE_HOST',
- os.environ.get('REMOTE_ADDR',
- 'w.x.y.z'))
+ remote
).hexdigest()
)
)
diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py
index a1b8434f..fff21e98 100755
--- a/Mailman/Cgi/subscribe.py
+++ b/Mailman/Cgi/subscribe.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2014 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -124,23 +124,36 @@ def process_form(mlist, doc, cgidata, lang):
# Are we checking the hidden data?
if mm_cfg.SUBSCRIBE_FORM_SECRET:
now = int(time.time())
+ # Try to accept a range in case of load balancers, etc. (LP: #1447445)
+ if remote.find('.') >= 0:
+ # ipv4 - drop last octet
+ remote1 = remote.rsplit('.', 1)[0]
+ else:
+ # ipv6 - drop last 16 (could end with :: in which case we just
+ # drop one : resulting in an invalid format, but it's only
+ # for our hash so it doesn't matter.
+ remote1 = remote.rsplit(':', 1)[0]
try:
ftime, fhash = cgidata.getvalue('sub_form_token', '').split(':')
then = int(ftime)
except ValueError:
ftime = fhash = ''
- then = now
+ then = 0
token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
ftime +
mlist.internal_name() +
- remote).hexdigest()
- if now - then > mm_cfg.FORM_LIFETIME:
+ remote1).hexdigest()
+ if ftime and now - then > mm_cfg.FORM_LIFETIME:
results.append(_('The form is too old. Please GET it again.'))
- if now - then < mm_cfg.SUBSCRIBE_FORM_MIN_TIME:
+ if ftime and now - then < mm_cfg.SUBSCRIBE_FORM_MIN_TIME:
+ results.append(
+ _('Please take a few seconds to fill out the form before submitting it.'))
+ if ftime and token != fhash:
+ results.append(
+ _("The hidden token didn't match. Did your IP change?"))
+ if not ftime:
results.append(
- _('Please take a few seconds to fill out the form before submitting it.')
- )
- if token != fhash:
+ _('There was no hidden token in your submission or it was corrupted.'))
results.append(_('You must GET the form before submitting it.'))
# Was an attempt made to subscribe the list to itself?
if email == mlist.GetListEmail():
diff --git a/NEWS b/NEWS
index b2f16bc5..e0c4951f 100755
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,11 @@ Here is a history of user visible changes to Mailman.
Bug fixes and other patches
+ - If SUBSCRIBE_FORM_SECRET is enabled and a user's network has a load
+ balancer or similar in use the POSTing IP might not exactly match the
+ GETting IP. This is now accounted for by not requiring the last
+ octet (16 bits for ipV6) to match. (LP: #1447445)
+
- DKIM-Signature:, DomainKey-Signature: and Authentication-Results:
headers are now removed by default from posts to anonymous lists.
(LP: #1444673)