[Mailman-Developers] RELEASED Mailman 2.0.12
I' released Mailman 2.0.12 which fixes a cross-site scripting vulnerability, among other changes. I recommend that folks upgrade their 2.0.x systems to this new version. See below for a NEWS file excerpt. As usual, I've made both full source tarballs and patches available. See http://sourceforge.net/project/showfiles.php?group_id=103 for links to download all the patches and the source tarball. If you decide to install the patches, please do read the release notes first: http://sourceforge.net/project/shownotes.php?release_id=97760 See also: http://www.gnu.org/software/mailman http://www.list.org http://mailman.sf.net Cheers, -Barry snip snip 2.0.12 (02-Jul-2002) - Implemented a guard against some reply loops and 'bot subscription attacks. Specifically, if a message to -request has a Precedence: bulk (or list, or junk) header, the command is ignored. Well-behaved 'bots should always include such a header. - Changes to the configure script so that you can pass in the mail host and web host by setting the environment variables MAILHOST and WWWHOST respectively. configure will also exit if it can't figure out these values (usually due to broken dns). - Closed another minor cross-site scripting vulnerability. ___ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
[Mailman-Developers] 2 pgms to assist in maintaining lists
Hi, I've written 2 programs to help me maintain my mailing lists. The first I call add_nonmembers. This program is based on add_members (I copied add_members to add_nonmembers and modified it :-). What it does is give me a simple command line interface to modifying the 4 options: accept_these_nonmembers hold_these_nonmembers reject_these_nonmembers discard_these_nonmembers 3 of my mailing lists are for the particular type of employee: faculty, grads and staff. I want anyone on any of the lists to be able to post to any of the lists. Under majordomo I could point their equivalent of accept_these_nonmembers to a file which I would generate by listing all the members of all 3 lists. Under mailman I need to add everyone from the other 2 lists to the first list's accept_these_nonmembers option. I didn't see an easy way to do this, so I wrote add_nonmembers. The second program I wrote I call subscribe_lists. It's similar to add_members, except it takes an address and as many lists as you want and subscribes the address to all of the lists. When we setup a new user, we usually subscribe them to multiple lists -- I felt it was easier to have a straightforward way to do this (rather than running add_members n times for n lists with the address coming from stdin each time. I'll include them (since they are short) -- or is there a better way to submit these? (if anyone is even interested :-) ...dave alden ps These are based on 2.1b2. #! /usr/bin/python # # Copyright (C) 1998,1999,2000,2001,2002 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # argv[1] should be the name of the list. # Make sure that the list of email addresses doesn't contain any comments, # like majordomo may throw in. For now, you just have to remove them manually. Add nonmembers to a list from the command line. Usage: add_nonmembers [options] listname Options: --accepted-file=file -a file A file containing addresses of the members to be added, one address per line, to the list of postings which are automatically accepted. If file is `-', read addresses from stdin. --moderated-file=file -m file A file containing addresses of the members to be added, one address per line, to the list of postings which are held for moderation. If file is `-', read addresses from stdin. --rejected-file=file -r file A file containing addresses of the members to be added, one address per line, to the list of postings which are automatically rejected. If file is `-', read addresses from stdin. --discarded-file=file -d file A file containing addresses of the members to be added, one address per line, to the list of postings which are automatically discarded. If file is `-', read addresses from stdin. --empty -e Empty all current addresses from the list before adding new addresses. --verbose -v Verbose output. Display messages stating whether each address was added or already in a list --help -h Print this help message and exit. listname The name of the Mailman list you are adding members to. It must already exist. You must supply at least one of -n and -d options. At most one of the files can be `-'. import sys import os import getopt from cStringIO import StringIO import paths # Import this /after/ paths so that the sys.path is properly hacked from email.Utils import parseaddr from Mailman import MailList from Mailman import Utils from Mailman import Message from Mailman import Errors from Mailman import mm_cfg from Mailman import i18n _ = i18n._ def usage(status, msg=''): print sys.stderr, _(__doc__) if msg: print sys.stderr, msg sys.exit(status) def readfile(filename): if filename == '-': fp = sys.stdin closep = 0 else: fp = open(filename) closep = 1 # strip all the lines of whitespace and discard blank lines lines = filter(None, [line.strip() for line in fp.readlines()]) if closep: fp.close() return lines class Tee: def __init__(self, outfp): self.__outfp = outfp def
Re: [Mailman-Developers] .lower() for older pythons
MD == Matt Domsch [EMAIL PROTECTED] writes:
MD Thanks for this update. I've run across one problem. In
MD Mailman/MailCommandHandler.py, ParseMailCommands function:
| +precedence = msg.get('precedence', '').lower()
| +ack = msg.get('x-ack', '').lower()
MD With my python (1.5.2-30 as in Red Hat Linux 7.1), this
MD generates lots of errors in mailman/logs/error:
Damn! It's really getting hard to keep Python 1.5.2 in mind. :(
MD I believe the proper fix is:
MD + precedence = string.lower(msg.get('precedence', '')) + ack =
MD string.lower(msg.get('x-ack', ''))
MD instead. With this, it works and doesn't generate those
MD errors. I'm not on mailman-developers, so please cc me on any
MD replies.
You're exactly right. Attached is a patch. I guess I have to
generate a 2.0.13. :(
-Barry
___
Mailman-Developers mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman-21/listinfo/mailman-developers
Re: [Mailman-Developers] .lower() for older pythons
MD == Matt Domsch [EMAIL PROTECTED] writes:
MD Thanks for this update. I've run across one problem. In
MD Mailman/MailCommandHandler.py, ParseMailCommands function:
| +precedence = msg.get('precedence', '').lower()
| +ack = msg.get('x-ack', '').lower()
MD With my python (1.5.2-30 as in Red Hat Linux 7.1), this
MD generates lots of errors in mailman/logs/error:
Damn! It's really getting hard to keep Python 1.5.2 in mind. :(
MD I believe the proper fix is:
MD + precedence = string.lower(msg.get('precedence', '')) + ack =
MD string.lower(msg.get('x-ack', ''))
MD instead. With this, it works and doesn't generate those
MD errors. I'm not on mailman-developers, so please cc me on any
MD replies.
You're exactly right. Attached is a patch. I guess I have to
generate a 2.0.13. :(
-Barry
snip snip
Index: MailCommandHandler.py
===
RCS file: /cvsroot/mailman/mailman/Mailman/Attic/MailCommandHandler.py,v
retrieving revision 1.70.2.1
diff -u -r1.70.2.1 MailCommandHandler.py
--- MailCommandHandler.py 2 Jul 2002 16:33:23 - 1.70.2.1
+++ MailCommandHandler.py 11 Jul 2002 21:16:47 -
@@ -120,8 +120,8 @@
# of these clues, so there's little we can do to break loops in that
# case, except throttle the number of responses sent to any one
# requester in a day. That's a job for MM2.1.
-precedence = msg.get('precedence', '').lower()
-ack = msg.get('x-ack', '').lower()
+precedence = string.lower(msg.get('precedence', ''))
+ack = string.lower(msg.get('x-ack', ''))
beenthere = msg.get('x-beenthere', '')
listid = msg.get('list-id', '')
if (precedence in ('bulk', 'list', 'junk') or
___
Mailman-Developers mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman-21/listinfo/mailman-developers
[Mailman-Developers] [ mailman-Bugs-577685 ] sh syntax problem inconfigure
Bugs item #577685, was opened at 2002-07-05 03:35 You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=100103aid=577685group_id=103 Category: configuring/installing Group: 2.0.x Status: Open Resolution: None Priority: 5 Submitted By: Tokio Kikuchi (tkikuchi) Assigned to: Nobody/Anonymous (nobody) Summary: sh syntax problem in configure Initial Comment: in 2.0.12 configure script includes a statement: if [ $? == 1 ] which should be in a traditional sh: if [ $? = 1 ] (Note single =, not double =) configure fails on solaris 8 with double =, while the error was ignored on FreeBSD. -- Comment By: Barry A. Warsaw (bwarsaw) Date: 2002-07-11 18:28 Message: Logged In: YES user_id=12800 Can you please try the attached patch? -- You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=100103aid=577685group_id=103 ___ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
Re: [Mailman-Developers] suggestion for configure
A long time ago, Ron Jarrell [EMAIL PROTECTED] wrote: RJ Add a --with-fqdn and --with-url or equivalent. Done, except I'm calling them --with-mailhost and --with-urlhost. ;) I'm also simplifying the configure tests for the defaults of these two values. Now, it'll just use the results of socket.getfqdn() without all the fancy (and fragile) attempts at whacking off the leading `www'. So by default, when I run it I get DEFAULT_EMAIL_HOST and DEFAULT_URL_HOST set to yyz.zope.com. Setting DEFAULT_URL_HOST to that isn't correct for my machine, so I now run configure --with-urlhost=localhost Of course, it's also easy to just change these values in mm_cfg.py -Barry ___ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
[Mailman-Developers] [ mailman-Bugs-577685 ] sh syntax problem inconfigure
Bugs item #577685, was opened at 2002-07-05 03:35 You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=100103aid=577685group_id=103 Category: configuring/installing Group: 2.0.x Status: Open Resolution: None Priority: 5 Submitted By: Tokio Kikuchi (tkikuchi) Assigned to: Nobody/Anonymous (nobody) Summary: sh syntax problem in configure Initial Comment: in 2.0.12 configure script includes a statement: if [ $? == 1 ] which should be in a traditional sh: if [ $? = 1 ] (Note single =, not double =) configure fails on solaris 8 with double =, while the error was ignored on FreeBSD. -- Comment By: Barry A. Warsaw (bwarsaw) Date: 2002-07-11 18:30 Message: Logged In: YES user_id=12800 Note that that patch is against configure.in, so you'll need to run autoreconf (or just patch configure by hand). Let me know if that's a problem. -- Comment By: Barry A. Warsaw (bwarsaw) Date: 2002-07-11 18:29 Message: Logged In: YES user_id=12800 Let's try that again with the checkbox checked off. :/ -- Comment By: Barry A. Warsaw (bwarsaw) Date: 2002-07-11 18:28 Message: Logged In: YES user_id=12800 Can you please try the attached patch? -- You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=100103aid=577685group_id=103 ___ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
Re: [Mailman-Developers] OSX installation problem - no mailmanuser
Greg Westin [EMAIL PROTECTED] wrote: I sent this question to the mailman-users list and got no response, so I thought maybe I should try here. I don't know if this is a problem because I'm a novice at these UNIX installations, or if there's something wrong with the Darwin installer: I haven't looked at the configure script (at all...I don't know what language it's in), but the symptoms sound as if the script is not using normal system calls to retrieve the mailman user information... the Pythonic pwd.getpwnam() for example would get it just fine. Is it doing the equivalent of grep mailman /etc/passwd ?...if so it cannot succeed in a proper Mac OS X (although one could create the user, find the numeric UID, and use vipw to install the user in /etc/passwd and whatever we have to install the group in /etc/group. Barry...you probably know this, but NetInfo is going away in a month or so (Jaguar) to be replaced by an LDAP-based solution. So doing a NetInfo-specific fix would probably be unwise. --John (not under Jaguar NDA, and without Jaguar) -- John BaxterPort Ludlow, WA, USA I am NOT out of the office. I will respond if and when I get around to it. ___ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
