On 2021-12-13 at 13:02:22 UTC-0500 (Tue, 14 Dec 2021 03:02:22 +0900)
Stephen J. Turnbull <stephenjturnb...@gmail.com>
is rumored to have said:
Mailman-admin writes:
Am 13.12.21 um 12:09 schrieb Sebastian Hagedorn:
Nov 24 19:33:24 2021 (117276) Form for user x...@smail.uni-koeln.de
submitted with CSRF token issued for x...@smail.uni-koeln.de.
The only difference is in the case of the email address. I’m no
expert
on CSRF attacks, but to me it seems as though the comparison should
perhaps disregard differences in case only?
As local part of an email address can be case sensitive,
This is true, but
this should only be case insensitive for the domain part.
[...]
So this is potentially very complicated.
Case-squashing domain parts? Not complicated. Simple. The hardest part
is handling IDN, which is not in fact all that hard.
The only utility in mixed-case domain names is for human readability and
the non-standard trick that uses case preservation as a means of
detecting DNS hijacking. The bottom line on that trick is that only DNS
servers should care about preserving domain name case.
Also simple: NEVER try to interpret or canonicalize local-parts that
exist in someone else's domain. You cannot programmatically determine
whether 2 different local-parts are equivalent unless you run the
delivery system for them.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
