diff options
| author | Mark Sapiro <msapiro@value.net> | 2012-11-24 14:44:15 -0800 |
|---|---|---|
| committer | Mark Sapiro <msapiro@value.net> | 2012-11-24 14:44:15 -0800 |
| commit | 93037ce44ab48aabad4564fbdfe1c967908e8ae8 (patch) | |
| tree | 66f1370a4c07f842778c3ad6e75d45641bc58119 /Mailman/Cgi | |
| parent | 85bd5f5e232b3fb6fc83f57e9e164bfa82d50e5c (diff) | |
| download | mailman2-93037ce44ab48aabad4564fbdfe1c967908e8ae8.tar.gz mailman2-93037ce44ab48aabad4564fbdfe1c967908e8ae8.tar.xz mailman2-93037ce44ab48aabad4564fbdfe1c967908e8ae8.zip | |
Implement SUBSCRIBE_FORM_SECRET to mitigate bot subscribes. (LP: 1082746)
Diffstat (limited to 'Mailman/Cgi')
| -rw-r--r-- | Mailman/Cgi/listinfo.py | 16 | ||||
| -rwxr-xr-x[-rw-r--r--] | Mailman/Cgi/subscribe.py | 20 |
2 files changed, 34 insertions, 2 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index 8aaae14c..5fbaaaf3 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2010 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2012 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -22,6 +22,7 @@ import os import cgi +import time from Mailman import mm_cfg from Mailman import Utils @@ -184,6 +185,19 @@ def list_listinfo(mlist, lang): replacements['<mm-confirm-password>'] = mlist.FormatSecureBox('pw-conf') replacements['<mm-subscribe-form-start>'] = mlist.FormatFormStart( 'subscribe') + if mm_cfg.SUBSCRIBE_FORM_SECRET: + now = str(int(time.time())) + replacements['<mm-subscribe-form-start>'] += ( + '<input type="hidden" name="sub_form_token" value="%s:%s">\n' + % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + + now + + mlist.internal_name() + + os.environ.get('REMOTE_HOST', + os.environ.get('REMOTE_ADDR', + 'w.x.y.z')) + ).hexdigest() + ) + ) # Roster form substitutions replacements['<mm-roster-form-start>'] = mlist.FormatFormStart('roster') replacements['<mm-roster-option>'] = mlist.FormatRosterOptionForUser(lang) diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index 7c49c51c..0fde280a 100644..100755 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2011 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2012 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -20,6 +20,7 @@ import sys import os import cgi +import time import signal from Mailman import mm_cfg @@ -120,6 +121,23 @@ def process_form(mlist, doc, cgidata, lang): remote = os.environ.get('REMOTE_HOST', os.environ.get('REMOTE_ADDR', 'unidentified origin')) + # Are we checking the hidden data? + if mm_cfg.SUBSCRIBE_FORM_SECRET: + now = int(time.time()) + try: + ftime, fhash = cgidata.getvalue('sub_form_token', '').split(':') + then = int(ftime) + except ValueError: + ftime = fhash = '' + then = now + token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + + ftime + + mlist.internal_name() + + remote).hexdigest() + if now - then > mm_cfg.FORM_LIFETIME: + results.append(_('The form is too old. Please GET it again.')) + if token != fhash: + results.append(_('You must GET the form before submitting it.')) # Was an attempt made to subscribe the list to itself? if email == mlist.GetListEmail(): syslog('mischief', 'Attempt to self subscribe %s: %s', email, remote) |