-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmailman-notes.txt
More file actions
47 lines (39 loc) · 2.35 KB
/
mailman-notes.txt
File metadata and controls
47 lines (39 loc) · 2.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
2.1.16 - 2.1.20
mm_cfg.SUBSCRIBE_FORM_SECRET + now + mlist.internal_name() + (remote_host / remote_addr)
2.1.21 - 2.1.26
remote = remote.rsplit('.', 1)[0] / remote.rsplit(':', 1)[0]
mm_cfg.SUBSCRIBE_FORM_SECRET + now + mlist.internal_name() + remote
2.1.27 - 2.1.29
remote = remote.rsplit('.', 1)[0] / remote.rsplit(':', 1)[0]
mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + now + ":" + mlist.internal_name() + ":" + remote
2.1.30+
remote = remote.rsplit('.', 1)[0] / remote.rsplit(':', 1)[0]
mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + now + ":" + captcha_idx + ":" + mlist.internal_name() + ":" + remote
2.1.16 (16-Oct-2013)
- There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put
a dynamically generated, hidden hash in the listinfo subscribe form and
check it upon submission. Setting this will prevent automated processes
(bots) from successfully POSTing web subscribes without first retrieving
and parsing the form from the listinfo page. The form must also be
submitted no later than FORM_LIFETIME nor no earlier than
SUBSCRIBE_FORM_MIN_TIME after retrieval. Note that enabling this will
break any static subscribe forms on your site. See the description in
Defaults.py for more info. (LP: #1082746)
2.1.21 (28-Feb-2016)
- If SUBSCRIBE_FORM_SECRET is enabled and a user's network has a load
balancer or similar in use the POSTing IP might not exactly match the
GETting IP. This is now accounted for by not requiring the last
octet (16 bits for ipV6) to match. (LP: #1447445)
2.1.27 (22-Jun-2018)
- The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
the same as one generated at the same time for a different list and
IP address. While this is not thought to be exploitable in any way,
the generation has been changed to avoid this. Thanks to Ralf Jung.
2.1.30 (13-Apr-2020)
- Thanks to Ralf Jung there is now the ability to add text based captchas
(aka textchas) to the listinfo subscribe form. See the documentation
for the new CAPTCHA setting in Defaults.py for how to enable this. Also
note that if you have custom listinfo.html templates, you will have to
add a <mm-captcha-ui> tag to those templates to make this work. This
feature can be used in combination with or instead of the Google
reCAPTCHA feature added in 2.1.26.