It seems to me that the logic in this change is not correct: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1881
For lists with private_roster > 0, when the user has entered a email address which is not subscribed to that list, the return is taken without having printed a response. In my environment, Apache httpd then sends a 500 Internal Server Error to the browser. While not saying so in so many words, this behaviour does subtly disclose that the email address is not subscribed. The only privacy-preserving way to proceed would be for Mailman to pretend that the user is subscribed, which is what happened prior to this revision. ------------------------------------------------------ Mailman-Users mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/[email protected]/ https://mail.python.org/archives/list/[email protected]/
