From 8f7fc30bde024165d742ecae082858d80f1012b8 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Thu, 23 Apr 2015 17:42:33 -0700 Subject: If SUBSCRIBE_FORM_SECRET is enabled and a user's network has a load balancer or similar in use the POSTing IP might not exactly match the GETting IP. This is now accounted for by not requiring the last octet (16 bits for ipV6) to match. --- Mailman/Cgi/listinfo.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'Mailman/Cgi/listinfo.py') diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index 8396b37d..3c04e8a7 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2014 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2015 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -187,14 +187,24 @@ def list_listinfo(mlist, lang): 'subscribe') if mm_cfg.SUBSCRIBE_FORM_SECRET: now = str(int(time.time())) + remote = os.environ.get('REMOTE_HOST', + os.environ.get('REMOTE_ADDR', + 'w.x.y.z')) + # Try to accept a range in case of load balancers, etc. (LP: #1447445) + if remote.find('.') >= 0: + # ipv4 - drop last octet + remote = remote.rsplit('.', 1)[0] + else: + # ipv6 - drop last 16 (could end with :: in which case we just + # drop one : resulting in an invalid format, but it's only + # for our hash so it doesn't matter. + remote = remote.rsplit(':', 1)[0] replacements[''] += ( '\n' % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + now + mlist.internal_name() + - os.environ.get('REMOTE_HOST', - os.environ.get('REMOTE_ADDR', - 'w.x.y.z')) + remote ).hexdigest() ) ) -- cgit v1.2.3