diff options
Diffstat (limited to 'Mailman/Cgi')
| -rw-r--r-- | Mailman/Cgi/confirm.py | 24 | ||||
| -rw-r--r-- | Mailman/Cgi/create.py | 7 | ||||
| -rw-r--r-- | Mailman/Cgi/options.py | 2 | ||||
| -rw-r--r-- | Mailman/Cgi/rmlist.py | 7 | ||||
| -rw-r--r-- | Mailman/Cgi/roster.py | 4 |
5 files changed, 36 insertions, 8 deletions
diff --git a/Mailman/Cgi/confirm.py b/Mailman/Cgi/confirm.py index 8dd39aff..1175b81a 100644 --- a/Mailman/Cgi/confirm.py +++ b/Mailman/Cgi/confirm.py @@ -327,6 +327,12 @@ def subscription_cancel(mlist, doc, cookie): try: # Discard this cookie userdesc = mlist.pend_confirm(cookie)[1] + except TypeError: + # See comment about TypeError in subscription_confirm. + # Give a generic message. It doesn't much matter what since it's a + # bot anyway. + doc.AddItem(_('Error')) + return finally: mlist.Unlock() lang = userdesc.language @@ -362,6 +368,10 @@ def subscription_confirm(mlist, doc, cookie, cgidata): else: digest = None userdesc = mlist.pend_confirm(cookie, expunge=False)[1] + # There is a potential race condition if two (robotic?) clients try + # to confirm the same token simultaneously. If they both succeed in + # retrieving the data above, when the second gets here, the cookie + # is gone and TypeError is thrown. Catch it below. fullname = cgidata.getfirst('realname', None) if fullname is not None: fullname = Utils.canonstr(fullname, lang) @@ -379,7 +389,7 @@ def subscription_confirm(mlist, doc, cookie, cgidata): the list moderator before you will be subscribed. Your request has been forwarded to the list moderator, and you will be notified of the moderator's decision.""")) - except Errors.NotAMemberError: + except (Errors.NotAMemberError, TypeError): bad_confirmation(doc, _('''Invalid confirmation string. It is possible that you are attempting to confirm a request for an address that has already been unsubscribed.''')) @@ -444,7 +454,8 @@ def unsubscription_confirm(mlist, doc, cookie): i18n.set_language(lang) doc.set_language(lang) op, addr = mlist.ProcessConfirmation(cookie) - except Errors.NotAMemberError: + # See comment about TypeError in subscription_confirm. + except (Errors.NotAMemberError, TypeError): bad_confirmation(doc, _('''Invalid confirmation string. It is possible that you are attempting to confirm a request for an address that has already been unsubscribed.''')) @@ -533,7 +544,8 @@ def addrchange_confirm(mlist, doc, cookie): i18n.set_language(lang) doc.set_language(lang) op, oldaddr, newaddr = mlist.ProcessConfirmation(cookie) - except Errors.NotAMemberError: + # See comment about TypeError in subscription_confirm. + except (Errors.NotAMemberError, TypeError): bad_confirmation(doc, _('''Invalid confirmation string. It is possible that you are attempting to confirm a request for an address that has already been unsubscribed.''')) @@ -657,7 +669,8 @@ def heldmsg_confirm(mlist, doc, cookie): # Discard the message mlist.HandleRequest(id, mm_cfg.DISCARD, _('Sender discarded message via web.')) - except (Errors.LostHeldMessage, KeyError): + # See comment about TypeError in subscription_confirm. + except (Errors.LostHeldMessage, KeyError, TypeError): bad_confirmation(doc, _('''The held message with the Subject: header <em>%(subject)s</em> could not be found. The most likely reason for this is that the list moderator has already approved or @@ -770,7 +783,8 @@ def reenable_confirm(mlist, doc, cookie): i18n.set_language(lang) doc.set_language(lang) op, addr = mlist.ProcessConfirmation(cookie) - except Errors.NotAMemberError: + # See comment about TypeError in subscription_confirm. + except (Errors.NotAMemberError, TypeError): bad_confirmation(doc, _('''Invalid confirmation string. It is possible that you are attempting to confirm a request for an address that has already been unsubscribed.''')) diff --git a/Mailman/Cgi/create.py b/Mailman/Cgi/create.py index ebb211ae..d72e6967 100644 --- a/Mailman/Cgi/create.py +++ b/Mailman/Cgi/create.py @@ -162,6 +162,13 @@ def process_request(doc, cgidata): if not ok: ok = Utils.check_global_password(auth) if not ok: + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) + syslog('security', + 'Authorization failed (create): list=%s: remote=%s', + listname, remote) request_creation( doc, cgidata, _('You are not authorized to create new mailing lists')) diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 34a7718e..3a3b7841 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -296,7 +296,7 @@ def main(): os.environ.get('REMOTE_ADDR', 'unidentified origin'))) syslog('security', - 'Authorization failed (private): user=%s: list=%s: remote=%s', + 'Authorization failed (options): user=%s: list=%s: remote=%s', user, listname, remote) # So as not to allow membership leakage, prompt for the email # address and the password here. diff --git a/Mailman/Cgi/rmlist.py b/Mailman/Cgi/rmlist.py index 4472c1c5..4c37a15d 100644 --- a/Mailman/Cgi/rmlist.py +++ b/Mailman/Cgi/rmlist.py @@ -127,6 +127,13 @@ def process_request(doc, cgidata, mlist): mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin), password) == mm_cfg.UnAuthorized: + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) + syslog('security', + 'Authorization failed (rmlist): list=%s: remote=%s', + mlist.internal_name(), remote) request_deletion( doc, mlist, _('You are not authorized to delete this mailing list')) diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py index abf87e08..eddd697b 100644 --- a/Mailman/Cgi/roster.py +++ b/Mailman/Cgi/roster.py @@ -123,8 +123,8 @@ def main(): os.environ.get('REMOTE_ADDR', 'unidentified origin'))) syslog('security', - 'Authorization failed (roster): list=%s: remote=%s', - listname, remote) + 'Authorization failed (roster): user=%s: list=%s: remote=%s', + addr, listname, remote) return # The document and its language |