[Mailman-checkins] [Git][mailman/mailman][master] 3 commits: Handle TOCTOU error with two subscription requests of same email.

Sat, 15 Aug 2020 21:35:57 -0700 


Mark Sapiro pushed to branch master at GNU Mailman / Mailman Core


Commits:
873fcdaf by Abhilash Raj at 2020-08-09T12:24:54-07:00
Handle TOCTOU error with two subscription requests of same email.

This happens when the same address is being subscribed simultaneous and each of
them pass the "Address does not exist, so let's create it" test 
and when both
of them try to create the same address, one of them is going to fail as
database would reject the duplicate email address due to unique constraint.

It is hard to recreate the exact conditions, hence there isn't any test, but
since the exception is raised during the SubscriptionWorkflow run, we catch
blanket Exception and return a 400 bad request with the exception message.

- - - - -
49fcde76 by Abhilash Raj at 2020-08-15T23:56:33+00:00
Merge branch 'master' into 'fix-toctou'

# Conflicts:
#   src/mailman/docs/NEWS.rst
- - - - -
f1169bdd by Mark Sapiro at 2020-08-15T21:33:35-07:00
Merge branch 'maxking/mailman-fix-toctou'

- - - - -


2 changed files:

- src/mailman/docs/NEWS.rst
- src/mailman/rest/members.py


Changes:

=====================================
src/mailman/docs/NEWS.rst
=====================================
@@ -33,6 +33,8 @@ Bugs
 * Messages forwarded when content filtering removes the entire message and
   ``filter_action`` is forward now go to owners as well as moderators.
   (Closes #753)
+* Handle TOCTOU conditions when there are two simultaneous subscription
+  requests for the same email address. (Closes #748)
 
 Command line
 ------------


=====================================
src/mailman/rest/members.py
=====================================
@@ -338,6 +338,9 @@ class AllMembers(_MemberBase):
             except SubscriptionPendingError:
                 conflict(response, b'Subscription request already pending')
                 return
+            except Exception as e:
+                bad_request(response, str(e))
+                return
             if token is None:
                 assert token_owner is TokenOwner.no_one, token_owner
                 # The subscription completed.  Let's get the resulting member



View it on GitLab: 
https://gitlab.com/mailman/mailman/-/compare/9a661aca58487828a0448dd23f6e0d972c82e2fc...f1169bdd043e6859fb28ec6b91d0bf47e7492ffb

-- 
View it on GitLab: 
https://gitlab.com/mailman/mailman/-/compare/9a661aca58487828a0448dd23f6e0d972c82e2fc...f1169bdd043e6859fb28ec6b91d0bf47e7492ffb
You're receiving this email because of your account on gitlab.com.



_______________________________________________
Mailman-checkins mailing list -- mailman-checkins@python.org
To unsubscribe send an email to mailman-checkins-le...@python.org
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: arch...@jab.org

Reply via email to