From 8ec9d40c8ab6bfd814a7026bab21997e05b5e8e0 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Tue, 7 Aug 2018 19:52:09 -0700 Subject: Catch TypeError on simultaneous confirmations of the same token. --- Mailman/Cgi/confirm.py | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'Mailman') diff --git a/Mailman/Cgi/confirm.py b/Mailman/Cgi/confirm.py index 8dd39aff..1175b81a 100644 --- a/Mailman/Cgi/confirm.py +++ b/Mailman/Cgi/confirm.py @@ -327,6 +327,12 @@ def subscription_cancel(mlist, doc, cookie): try: # Discard this cookie userdesc = mlist.pend_confirm(cookie)[1] + except TypeError: + # See comment about TypeError in subscription_confirm. + # Give a generic message. It doesn't much matter what since it's a + # bot anyway. + doc.AddItem(_('Error')) + return finally: mlist.Unlock() lang = userdesc.language @@ -362,6 +368,10 @@ def subscription_confirm(mlist, doc, cookie, cgidata): else: digest = None userdesc = mlist.pend_confirm(cookie, expunge=False)[1] + # There is a potential race condition if two (robotic?) clients try + # to confirm the same token simultaneously. If they both succeed in + # retrieving the data above, when the second gets here, the cookie + # is gone and TypeError is thrown. Catch it below. fullname = cgidata.getfirst('realname', None) if fullname is not None: fullname = Utils.canonstr(fullname, lang) @@ -379,7 +389,7 @@ def subscription_confirm(mlist, doc, cookie, cgidata): the list moderator before you will be subscribed. Your request has been forwarded to the list moderator, and you will be notified of the moderator's decision.""")) - except Errors.NotAMemberError: + except (Errors.NotAMemberError, TypeError): bad_confirmation(doc, _('''Invalid confirmation string. It is possible that you are attempting to confirm a request for an address that has already been unsubscribed.''')) @@ -444,7 +454,8 @@ def unsubscription_confirm(mlist, doc, cookie): i18n.set_language(lang) doc.set_language(lang) op, addr = mlist.ProcessConfirmation(cookie) - except Errors.NotAMemberError: + # See comment about TypeError in subscription_confirm. + except (Errors.NotAMemberError, TypeError): bad_confirmation(doc, _('''Invalid confirmation string. It is possible that you are attempting to confirm a request for an address that has already been unsubscribed.''')) @@ -533,7 +544,8 @@ def addrchange_confirm(mlist, doc, cookie): i18n.set_language(lang) doc.set_language(lang) op, oldaddr, newaddr = mlist.ProcessConfirmation(cookie) - except Errors.NotAMemberError: + # See comment about TypeError in subscription_confirm. + except (Errors.NotAMemberError, TypeError): bad_confirmation(doc, _('''Invalid confirmation string. It is possible that you are attempting to confirm a request for an address that has already been unsubscribed.''')) @@ -657,7 +669,8 @@ def heldmsg_confirm(mlist, doc, cookie): # Discard the message mlist.HandleRequest(id, mm_cfg.DISCARD, _('Sender discarded message via web.')) - except (Errors.LostHeldMessage, KeyError): + # See comment about TypeError in subscription_confirm. + except (Errors.LostHeldMessage, KeyError, TypeError): bad_confirmation(doc, _('''The held message with the Subject: header %(subject)s could not be found. The most likely reason for this is that the list moderator has already approved or @@ -770,7 +783,8 @@ def reenable_confirm(mlist, doc, cookie): i18n.set_language(lang) doc.set_language(lang) op, addr = mlist.ProcessConfirmation(cookie) - except Errors.NotAMemberError: + # See comment about TypeError in subscription_confirm. + except (Errors.NotAMemberError, TypeError): bad_confirmation(doc, _('''Invalid confirmation string. It is possible that you are attempting to confirm a request for an address that has already been unsubscribed.''')) -- cgit v1.2.3 From 7e459e691de1e0e97bd99ff550a7a7904a54f61c Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Sat, 10 Nov 2018 10:57:54 -0800 Subject: Use .bin extension for scrubbed application/octet-stream files. --- Mailman/Handlers/Scrubber.py | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Mailman') diff --git a/Mailman/Handlers/Scrubber.py b/Mailman/Handlers/Scrubber.py index 429312be..97e443b7 100644 --- a/Mailman/Handlers/Scrubber.py +++ b/Mailman/Handlers/Scrubber.py @@ -87,6 +87,9 @@ def guess_extension(ctype, ext): all = guess_all_extensions(ctype, strict=False) if ext in all: return ext + if ctype.lower == 'application/octet-stream': + # For this type, all[0] is '.obj'. '.bin' is better. + return '.bin' return all and all[0] -- cgit v1.2.3 From d03507def644416adf753098173220be6f75c137 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Wed, 28 Nov 2018 12:03:48 -0800 Subject: Added recognition for non-compliant opensmtpd DSN Action: error. --- Mailman/Bouncers/DSN.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'Mailman') diff --git a/Mailman/Bouncers/DSN.py b/Mailman/Bouncers/DSN.py index 701617db..b316c696 100644 --- a/Mailman/Bouncers/DSN.py +++ b/Mailman/Bouncers/DSN.py @@ -56,7 +56,8 @@ def check(msg): # Some MTAs have been observed that put comments on the action. if action.startswith('delayed'): return Stop - if not action.startswith('fail'): + # opensmtpd uses non-compliant Action: error. + if not (action.startswith('fail') or action.startswith('error')): # Some non-permanent failure, so ignore this block continue params = [] -- cgit v1.2.3 From a6a9e9960a6e300630ee46b04831850d0bfec50d Mon Sep 17 00:00:00 2001 From: Jim Popovitch Date: Fri, 30 Nov 2018 22:53:02 +0000 Subject: Patch for dmarc_moderation_addresses to automatically apply dmarc_moderation_action against a regexp of addresess --- Mailman/Gui/Privacy.py | 12 ++++++++++++ Mailman/Handlers/SpamDetect.py | 2 +- Mailman/MailList.py | 1 + Mailman/Version.py | 2 +- Mailman/versions.py | 1 + 5 files changed, 16 insertions(+), 2 deletions(-) (limited to 'Mailman') diff --git a/Mailman/Gui/Privacy.py b/Mailman/Gui/Privacy.py index 4df63da1..e171389f 100644 --- a/Mailman/Gui/Privacy.py +++ b/Mailman/Gui/Privacy.py @@ -356,6 +356,18 @@ class Privacy(GUIBase): be sent to anyone who posts to this list from a domain with a DMARC Reject%(quarantine)s Policy.""")), + ('dmarc_moderation_addresses', mm_cfg.EmailListEx, (10, WIDTH), 1, + _("""List of addresses (or regexps) whose posts should always apply + dmarc_moderation_action + regardless of any domain specific DMARC Policy."""), + + _("""Postings from any of these members will automatically + apply DMARC action mitigation. + +

Add member addresses one per line; start the line with a ^ + character to designate a regular expression match.""")), + ('dmarc_wrapped_message_text', mm_cfg.Text, (10, WIDTH), 1, _("""If dmarc_moderation_action applies and is Wrap Message, and this text is provided, the text will be placed in a diff --git a/Mailman/Handlers/SpamDetect.py b/Mailman/Handlers/SpamDetect.py index 7e035184..73fc758f 100644 --- a/Mailman/Handlers/SpamDetect.py +++ b/Mailman/Handlers/SpamDetect.py @@ -109,7 +109,7 @@ def process(mlist, msg, msgdata): msgdata['from_is_list'] = 0 dn, addr = parseaddr(msg.get('from')) if addr and mlist.dmarc_moderation_action > 0: - if Utils.IsDMARCProhibited(mlist, addr): + if mlist.GetPattern(addr, mlist.dmarc_moderation_addresses, at_list='dmarc_moderation_addresses') or Utils.IsDMARCProhibited(mlist, addr): # Note that for dmarc_moderation_action, 0 = Accept, # 1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard if mlist.dmarc_moderation_action == 1: diff --git a/Mailman/MailList.py b/Mailman/MailList.py index 8e2518c5..d74978af 100644 --- a/Mailman/MailList.py +++ b/Mailman/MailList.py @@ -424,6 +424,7 @@ class MailList(HTMLFormatter, Deliverer, ListAdmin, self.dmarc_none_moderation_action = ( mm_cfg.DEFAULT_DMARC_NONE_MODERATION_ACTION) self.dmarc_moderation_notice = '' + self.dmarc_moderation_addresses = [] self.dmarc_wrapped_message_text = ( mm_cfg.DEFAULT_DMARC_WRAPPED_MESSAGE_TEXT) self.equivalent_domains = ( diff --git a/Mailman/Version.py b/Mailman/Version.py index da704882..f607c126 100644 --- a/Mailman/Version.py +++ b/Mailman/Version.py @@ -37,7 +37,7 @@ HEX_VERSION = ((MAJOR_REV << 24) | (MINOR_REV << 16) | (MICRO_REV << 8) | (REL_LEVEL << 4) | (REL_SERIAL << 0)) # config.pck schema version number -DATA_FILE_VERSION = 110 +DATA_FILE_VERSION = 111 # qfile/*.db schema version number QFILE_SCHEMA_VERSION = 3 diff --git a/Mailman/versions.py b/Mailman/versions.py index 428bb0af..d317a46d 100644 --- a/Mailman/versions.py +++ b/Mailman/versions.py @@ -497,6 +497,7 @@ def NewVars(l): add_only_if_missing('dmarc_none_moderation_action', mm_cfg.DEFAULT_DMARC_NONE_MODERATION_ACTION) add_only_if_missing('dmarc_moderation_notice', '') + add_only_if_missing('dmarc_moderation_addresses', []) add_only_if_missing('dmarc_wrapped_message_text', mm_cfg.DEFAULT_DMARC_WRAPPED_MESSAGE_TEXT) add_only_if_missing('member_verbosity_threshold', -- cgit v1.2.3 From 3242707ec3214cb0ca9c639b99617f69f94f0d05 Mon Sep 17 00:00:00 2001 From: Jim Popovitch Date: Sat, 1 Dec 2018 04:13:12 +0000 Subject: Updated SpamDetect.py and VARHELP based on feedback from Mark S. --- Mailman/Gui/Privacy.py | 6 ++++-- Mailman/Handlers/SpamDetect.py | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'Mailman') diff --git a/Mailman/Gui/Privacy.py b/Mailman/Gui/Privacy.py index e171389f..13d1f2e8 100644 --- a/Mailman/Gui/Privacy.py +++ b/Mailman/Gui/Privacy.py @@ -362,8 +362,10 @@ class Privacy(GUIBase): >dmarc_moderation_action regardless of any domain specific DMARC Policy."""), - _("""Postings from any of these members will automatically - apply DMARC action mitigation. + _("""Postings from any of these addresses will automatically + apply any DMARC action mitigation. This can be utilized to + automatically wrap or munge postings from known addresses or + domains such as internal domains.

Add member addresses one per line; start the line with a ^ character to designate a regular expression match.""")), diff --git a/Mailman/Handlers/SpamDetect.py b/Mailman/Handlers/SpamDetect.py index 73fc758f..cf41303f 100644 --- a/Mailman/Handlers/SpamDetect.py +++ b/Mailman/Handlers/SpamDetect.py @@ -109,7 +109,8 @@ def process(mlist, msg, msgdata): msgdata['from_is_list'] = 0 dn, addr = parseaddr(msg.get('from')) if addr and mlist.dmarc_moderation_action > 0: - if mlist.GetPattern(addr, mlist.dmarc_moderation_addresses, at_list='dmarc_moderation_addresses') or Utils.IsDMARCProhibited(mlist, addr): + if (mlist.GetPattern(addr, mlist.dmarc_moderation_addresses) or + Utils.IsDMARCProhibited(mlist, addr)): # Note that for dmarc_moderation_action, 0 = Accept, # 1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard if mlist.dmarc_moderation_action == 1: -- cgit v1.2.3 From 189515c4d3f1ed52b83d63577ebefec5c991b281 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Sun, 30 Dec 2018 09:40:15 -0800 Subject: Corrected and augmented some security log messages. --- Mailman/Cgi/create.py | 7 +++++++ Mailman/Cgi/options.py | 2 +- Mailman/Cgi/rmlist.py | 7 +++++++ Mailman/Cgi/roster.py | 4 ++-- 4 files changed, 17 insertions(+), 3 deletions(-) (limited to 'Mailman') diff --git a/Mailman/Cgi/create.py b/Mailman/Cgi/create.py index ebb211ae..d72e6967 100644 --- a/Mailman/Cgi/create.py +++ b/Mailman/Cgi/create.py @@ -162,6 +162,13 @@ def process_request(doc, cgidata): if not ok: ok = Utils.check_global_password(auth) if not ok: + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) + syslog('security', + 'Authorization failed (create): list=%s: remote=%s', + listname, remote) request_creation( doc, cgidata, _('You are not authorized to create new mailing lists')) diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 34a7718e..3a3b7841 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -296,7 +296,7 @@ def main(): os.environ.get('REMOTE_ADDR', 'unidentified origin'))) syslog('security', - 'Authorization failed (private): user=%s: list=%s: remote=%s', + 'Authorization failed (options): user=%s: list=%s: remote=%s', user, listname, remote) # So as not to allow membership leakage, prompt for the email # address and the password here. diff --git a/Mailman/Cgi/rmlist.py b/Mailman/Cgi/rmlist.py index 4472c1c5..4c37a15d 100644 --- a/Mailman/Cgi/rmlist.py +++ b/Mailman/Cgi/rmlist.py @@ -127,6 +127,13 @@ def process_request(doc, cgidata, mlist): mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin), password) == mm_cfg.UnAuthorized: + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) + syslog('security', + 'Authorization failed (rmlist): list=%s: remote=%s', + mlist.internal_name(), remote) request_deletion( doc, mlist, _('You are not authorized to delete this mailing list')) diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py index abf87e08..eddd697b 100644 --- a/Mailman/Cgi/roster.py +++ b/Mailman/Cgi/roster.py @@ -123,8 +123,8 @@ def main(): os.environ.get('REMOTE_ADDR', 'unidentified origin'))) syslog('security', - 'Authorization failed (roster): list=%s: remote=%s', - listname, remote) + 'Authorization failed (roster): user=%s: list=%s: remote=%s', + addr, listname, remote) return # The document and its language -- cgit v1.2.3