From f1e9440ad3e4babcdc9999f572f7b4d7929130b1 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 3 Jun 2018 22:19:49 +0200 Subject: Separate data in CSRF token by colon to avoid collisions. This makes the data-to-token function injective. Previously, for example, the list called "list1" and the IP "10.0.0.0" would have the same hash as the list called "list" and the IP "110.0.0.0", as the strings were just concatenated. --- Mailman/Cgi/listinfo.py | 6 +++--- Mailman/Cgi/subscribe.py | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'Mailman') diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index 78fda942..b55c263d 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -218,9 +218,9 @@ def list_listinfo(mlist, lang): remote = remote.rsplit(':', 1)[0] replacements[''] += ( '\n' - % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - now + - mlist.internal_name() + + % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + now + ":" + + mlist.internal_name() + ":" + remote ).hexdigest() ) diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index aefce493..b6527a2a 100755 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -173,9 +173,9 @@ def process_form(mlist, doc, cgidata, lang): except ValueError: ftime = fhash = '' then = 0 - token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - ftime + - mlist.internal_name() + + token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + ftime + ":" + + mlist.internal_name() + ":" + remote1).hexdigest() if ftime and now - then > mm_cfg.FORM_LIFETIME: results.append(_('The form is too old. Please GET it again.')) -- cgit v1.2.3 From 8514e1b722068eace3a9e20bf274a2ae37cdafa3 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Sun, 3 Jun 2018 18:12:09 -0700 Subject: Added Esperanto translation and updated i18n. --- Mailman/Defaults.py.in | 1 + 1 file changed, 1 insertion(+) (limited to 'Mailman') diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 4406a1f3..fc72ef0d 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -1746,6 +1746,7 @@ add_language('cs', _('Czech'), 'iso-8859-2', 'ltr') add_language('da', _('Danish'), 'iso-8859-1', 'ltr') add_language('de', _('German'), 'iso-8859-1', 'ltr') add_language('en', _('English (USA)'), 'us-ascii', 'ltr') +add_language('eo', _('Esperanto'), 'utf-8', 'ltr') add_language('es', _('Spanish (Spain)'), 'iso-8859-1', 'ltr') add_language('et', _('Estonian'), 'iso-8859-15', 'ltr') add_language('eu', _('Euskara'), 'iso-8859-15', 'ltr') # Basque -- cgit v1.2.3 From b0fda7ec4f1927bae0f930500dea17294b5bbf20 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Mon, 4 Jun 2018 18:02:12 -0700 Subject: Added BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE Feature --- Mailman/Defaults.py.in | 7 ++++++- Mailman/MailList.py | 7 +++++++ Mailman/Utils.py | 21 +++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) (limited to 'Mailman') diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index fc72ef0d..a124832d 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -142,9 +142,14 @@ RECAPTCHA_SECRET_KEY = None # in the installation. This supplements the individual list's ban_list. # For example, to ban xxx@aol.com and any @gmail.com address beginning with # yyy, set -# GLOBAL_BAN_LIST = ['xxx@aol.com', '^yyy.*@gmail\.com$'] +# GLOBAL_BAN_LIST = ['xxx@aol\.com', '^yyy.*@gmail\.com$'] GLOBAL_BAN_LIST = [] +# IF the following is set to Yes, and a web subscribe comes from an IPv4 +# address and the IP is listed in Spamhaus ZEN, the subscription will be +# blocked. +BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = No + # Command that is used to convert text/html parts into plain text. This # should output results to standard output. %(filename)s will contain the # name of the temporary file that the program should operate on. diff --git a/Mailman/MailList.py b/Mailman/MailList.py index 619c3206..ecd6ce5c 100755 --- a/Mailman/MailList.py +++ b/Mailman/MailList.py @@ -908,6 +908,13 @@ class MailList(HTMLFormatter, Deliverer, ListAdmin, syslog('vette', '%s banned subscription: %s%s (matched: %s)', realname, email, whence, pattern) raise Errors.MembershipIsBanned, pattern + # See if this is from a spamhaus listed IP. + if remote and BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE: + if Utils.banned_ip(remote): + whence = ' from %s' % remote + syslog('vette', '%s banned subscription: %s%s (Spamhaus IP)', + realname, email, whence) + raise Errors.MembershipIsBanned, pattern # Sanity check the digest flag if digest and not self.digestable: raise Errors.MMCantDigestError diff --git a/Mailman/Utils.py b/Mailman/Utils.py index fd6ac796..2f9bda63 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -1495,3 +1495,24 @@ def xml_to_unicode(s, cset): else: return s +def banned_ip(ip): + if not dns_resolver: + return False + parts = ip.split('.') + if len(parts) != 4: + return False + lookup = '{}.{}.{}.{}.zen.spamhaus.org'.format(parts[3], + parts[2], + parts[1], + parts[0]) + resolver = dns.resolver.Resolver() + try: + ans = resolver.query(lookup, dns.rdatatype.A) + except DNSException: + return False + if not ans: + return False + text = ans.rrset.to_text() + if re.search(r'127\.0\.0\.\d{1,2}$', text, re.MULTILINE): + return True + return False -- cgit v1.2.3 From a8715a7afa8fd36d9118df834b3e8749b0083972 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Mon, 4 Jun 2018 19:19:31 -0700 Subject: Restrict Spamhaus ZEN hits to SBL, CSS and XBL. --- Mailman/Defaults.py.in | 4 ++-- Mailman/Utils.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'Mailman') diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index a124832d..7a86f63c 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -146,8 +146,8 @@ RECAPTCHA_SECRET_KEY = None GLOBAL_BAN_LIST = [] # IF the following is set to Yes, and a web subscribe comes from an IPv4 -# address and the IP is listed in Spamhaus ZEN, the subscription will be -# blocked. +# address and the IP is listed in Spamhaus SBL, CSS or XBL, the subscription +# will be blocked. BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE = No # Command that is used to convert text/html parts into plain text. This diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 2f9bda63..cdc82366 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -1513,6 +1513,6 @@ def banned_ip(ip): if not ans: return False text = ans.rrset.to_text() - if re.search(r'127\.0\.0\.\d{1,2}$', text, re.MULTILINE): + if re.search(r'127\.0\.0\.[2-7]$', text, re.MULTILINE): return True return False -- cgit v1.2.3 From 2b3aacbdb800115909a59d1a89bc1e67a75a14e3 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Mon, 4 Jun 2018 21:25:36 -0700 Subject: Ooops. Forgot mm_cfg. --- Mailman/MailList.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Mailman') diff --git a/Mailman/MailList.py b/Mailman/MailList.py index ecd6ce5c..991ffd7f 100755 --- a/Mailman/MailList.py +++ b/Mailman/MailList.py @@ -909,7 +909,7 @@ class MailList(HTMLFormatter, Deliverer, ListAdmin, realname, email, whence, pattern) raise Errors.MembershipIsBanned, pattern # See if this is from a spamhaus listed IP. - if remote and BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE: + if remote and mm_cfg.BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE: if Utils.banned_ip(remote): whence = ' from %s' % remote syslog('vette', '%s banned subscription: %s%s (Spamhaus IP)', -- cgit v1.2.3 From ca506e913faa49331db68f541774fdb773653988 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Mon, 4 Jun 2018 21:44:32 -0700 Subject: Not at all my day. --- Mailman/MailList.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Mailman') diff --git a/Mailman/MailList.py b/Mailman/MailList.py index 991ffd7f..fdc3802a 100755 --- a/Mailman/MailList.py +++ b/Mailman/MailList.py @@ -914,7 +914,7 @@ class MailList(HTMLFormatter, Deliverer, ListAdmin, whence = ' from %s' % remote syslog('vette', '%s banned subscription: %s%s (Spamhaus IP)', realname, email, whence) - raise Errors.MembershipIsBanned, pattern + raise Errors.MembershipIsBanned, 'Spamhaus IP' # Sanity check the digest flag if digest and not self.digestable: raise Errors.MMCantDigestError -- cgit v1.2.3