1 files changed, 27 insertions, 2 deletions

diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index 8aaae14c..c13fdb26 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -22,6 +22,7 @@
 
 import os
 import cgi
+import time
 
 from Mailman import mm_cfg
 from Mailman import Utils
@@ -52,7 +53,7 @@ def main():
         # Send this with a 404 status.
         print 'Status: 404 Not Found'
         listinfo_overview(_('No such list <em>%(safelistname)s</em>'))
-        syslog('error', 'No such list "%s": %s', listname, e)
+        syslog('error', 'listinfo: No such list "%s": %s', listname, e)
         return
 
     # See if the user want to see this page in other language
@@ -184,6 +185,30 @@ def list_listinfo(mlist, lang):
     replacements['<mm-confirm-password>'] = mlist.FormatSecureBox('pw-conf')
     replacements['<mm-subscribe-form-start>'] = mlist.FormatFormStart(
         'subscribe')
+    if mm_cfg.SUBSCRIBE_FORM_SECRET:
+        now = str(int(time.time()))
+        remote = os.environ.get('HTTP_FORWARDED_FOR',
+                 os.environ.get('HTTP_X_FORWARDED_FOR',
+                 os.environ.get('REMOTE_ADDR',
+                                'w.x.y.z')))
+        # Try to accept a range in case of load balancers, etc.  (LP: #1447445)
+        if remote.find('.') >= 0:
+            # ipv4 - drop last octet
+            remote = remote.rsplit('.', 1)[0]
+        else:
+            # ipv6 - drop last 16 (could end with :: in which case we just
+            #        drop one : resulting in an invalid format, but it's only
+            #        for our hash so it doesn't matter.
+            remote = remote.rsplit(':', 1)[0]
+        replacements['<mm-subscribe-form-start>'] += (
+                '<input type="hidden" name="sub_form_token" value="%s:%s">\n'
+                % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
+                          now +
+                          mlist.internal_name() +
+                          remote
+                          ).hexdigest()
+                    )
+                )
     # Roster form substitutions
     replacements['<mm-roster-form-start>'] = mlist.FormatFormStart('roster')
     replacements['<mm-roster-option>'] = mlist.FormatRosterOptionForUser(lang)