[Mailman-Developers] Re: Changing cookie name in mailman 2.1.26
On 4/21/20 3:30 AM, Chris Joyce wrote: > Hi, > > I would like to know how easy it would be to change the name of the user > cookie? ... > If someone could let me know, yes its possible that would be great. > Actually if someone could say look at this file and that file that would be > a great help too. The relevant code is Mailman/SecurityManager.py line 108 which says userdata = urllib.quote(Utils.ObscureEmail(user), safe='') Utils.ObscureEmail(user) is what replaces the '@' in the email address with '--at--'. I think it would be fine to just change that line to userdata = urllib.quote(user, safe='') This will leave the '@' unchanged in user, but urllib.quote will change it to %40 which I think is OK. The Cookie name is a 'token' as defined in RFC 2616, sec 2.2 and allows '%' (but not '@'). The inversion at lines 318-319 does `Utils.UnobscureEmail(urllib.unquote(u))`. urllib.unquote will convert %40 back to @ and UnobscureEmail will ignore the '@', so all should be good. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan ___ Mailman-Developers mailing list -- mailman-developers@python.org To unsubscribe send an email to mailman-developers-le...@python.org https://mail.python.org/mailman3/lists/mailman-developers.python.org/ Mailman FAQ: https://wiki.list.org/x/AgA3 Security Policy: https://wiki.list.org/x/QIA9
[Mailman-Developers] Changing cookie name in mailman 2.1.26
Hi, I would like to know how easy it would be to change the name of the user cookie? The reason being we have recently deployed a WAF in front of our mailman web instances and although its in detection mode (not prevention yet) it is picking up the mailman user cookie as containing SQL Injection or rather a SQL Comment. The WAF uses OWASP 3.0 rules and the rule matched is 942440. Mailman sets a cookie name in the form list+user+email--at--domain and its that “--at” that is detected as SQL Comment; I really don’t want to disable the rule and applying an ignore rule within the WAF doesn’t work. If someone could let me know, yes its possible that would be great. Actually if someone could say look at this file and that file that would be a great help too. I don’t know python, but I am a web developer (.Net). Many thanks Chris ___ Mailman-Developers mailing list -- mailman-developers@python.org To unsubscribe send an email to mailman-developers-le...@python.org https://mail.python.org/mailman3/lists/mailman-developers.python.org/ Mailman FAQ: https://wiki.list.org/x/AgA3 Security Policy: https://wiki.list.org/x/QIA9
[Mailman-Developers] Re: AppleMail and Mailman3 content filtering
On 4/21/20 2:15 AM, Mike Gabriel via Mailman-Developers wrote: > Hi all, > > I have a special case in a 3.3.0 Mailman3 instance. > > One of our users uses AppleMail and sends a mail with PDF attachment to > a mailing list with the following settings in Postorius: > > [x] filter content > [x] collapse alternatives > [x] convert html to plaintext > > However, the PDF is not getting delivered to the mailing list > recipients. It gets stripped off. I see the issue. > The mail structure of the original mail is this: Summarized multipart/alternative text/plain multipart/mixed text/html application/pdf text/html So the issue is the Apple Mail user is composing the message in rich text (HTML) format and drags and drops the PDF in the middle of the message body. Apple Mail then makes the multipart/mixed text/html application/pdf text/html message part [1] and finally makes the text/plain alternative that doesn't include the PDF. Since your content filtering is set to collapse alternatives, only the text/plain first alternative part goes to the list. I'm not that familiar with Apple Mail, but there may be a way for the user to 'attach' the PDF rather than dropping it into the message body and that may work. [1] This message part will actually be displayed as composed only by an Apple Mail client, but that's another issue - part of "if you don't ask to interoperate with anything outside the Apple ecosystem, everything will be fine". -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan signature.asc Description: OpenPGP digital signature ___ Mailman-Developers mailing list -- mailman-developers@python.org To unsubscribe send an email to mailman-developers-le...@python.org https://mail.python.org/mailman3/lists/mailman-developers.python.org/ Mailman FAQ: https://wiki.list.org/x/AgA3 Security Policy: https://wiki.list.org/x/QIA9
[Mailman-Developers] Re: MIME type filtering
On Di 21 Apr 2020 16:11:21 CEST, Abhilash Raj wrote: On Tue, Apr 21, 2020, at 2:17 AM, Mike Gabriel via Mailman-Developers wrote: Hi all, a more general question... In Mailman2 one could filter MIME type based on file suffix and/or MIME type name. Is this possible already in Mailman3? How is that done? Or is it on the feature wishlist still? Or just not configurable via Postorius? That’s right, the settings aren’t exposed in the latest release of Postorius but it has already been added to the git master. Expect a new release in about 3 weeks. That's awesome!!! Thanks for the feedback. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp1o7PyfwXMB.pgp Description: Digitale PGP-Signatur ___ Mailman-Developers mailing list -- mailman-developers@python.org To unsubscribe send an email to mailman-developers-le...@python.org https://mail.python.org/mailman3/lists/mailman-developers.python.org/ Mailman FAQ: https://wiki.list.org/x/AgA3 Security Policy: https://wiki.list.org/x/QIA9
[Mailman-Developers] Re: MIME type filtering
On Tue, Apr 21, 2020, at 2:17 AM, Mike Gabriel via Mailman-Developers wrote: > Hi all, > > a more general question... In Mailman2 one could filter MIME type > based on file suffix and/or MIME type name. > > Is this possible already in Mailman3? How is that done? Or is it on > the feature wishlist still? Or just not configurable via Postorius? That’s right, the settings aren’t exposed in the latest release of Postorius but it has already been added to the git master. Expect a new release in about 3 weeks. > Thanks for any sort of feedback, > Mike > -- > > DAS-NETZWERKTEAM > c\o Technik- und Ökologiezentrum Eckernförde > Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde > mobile: +49 (1520) 1976 148 > landline: +49 (4351) 850 8940 > > GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 > mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de > > > ___ > Mailman-Developers mailing list -- mailman-developers@python.org > To unsubscribe send an email to mailman-developers-le...@python.org > https://mail.python.org/mailman3/lists/mailman-developers.python.org/ > Mailman FAQ: https://wiki.list.org/x/AgA3 > > Security Policy: https://wiki.list.org/x/QIA9 > -- thanks, Abhilash Raj (maxking) ___ Mailman-Developers mailing list -- mailman-developers@python.org To unsubscribe send an email to mailman-developers-le...@python.org https://mail.python.org/mailman3/lists/mailman-developers.python.org/ Mailman FAQ: https://wiki.list.org/x/AgA3 Security Policy: https://wiki.list.org/x/QIA9
[Mailman-Developers] AppleMail and Mailman3 content filtering
Hi all, I have a special case in a 3.3.0 Mailman3 instance. One of our users uses AppleMail and sends a mail with PDF attachment to a mailing list with the following settings in Postorius: [x] filter content [x] collapse alternatives [x] convert html to plaintext However, the PDF is not getting delivered to the mailing list recipients. It gets stripped off. The mail structure of the original mail is this: ``` [...] From: [...] Content-Type: multipart/alternative; boundary="Apple-Mail=_F2665084-9FD9-4017-B8F0-8E6ABE6D424C" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Fwd: [...] Message-Id: [...] References: [...] To: Mike Gabriel <[...]> Date: Tue, 21 Apr 2020 06:35:52 +0200 X-Mailer: Apple Mail (2.3273) [... headers ...] --Apple-Mail=_F2665084-9FD9-4017-B8F0-8E6ABE6D424C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 [... quoted printable text ...] --Apple-Mail=_F2665084-9FD9-4017-B8F0-8E6ABE6D424C Content-Type: multipart/mixed; boundary="Apple-Mail=_702BD6D5-BCE8-42D9-83D4-5F316F5F607B" --Apple-Mail=_702BD6D5-BCE8-42D9-83D4-5F316F5F607B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 [... html coded text ...] --Apple-Mail=_702BD6D5-BCE8-42D9-83D4-5F316F5F607B Content-Disposition: inline; filename=".pdf" Content-Type: application/pdf; x-unix-mode=0644; name=".pdf" Content-Transfer-Encoding: base64 [ ... base64 encoded PDF ...] --Apple-Mail=_702BD6D5-BCE8-42D9-83D4-5F316F5F607B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 [... html coded text ...] --Apple-Mail=_702BD6D5-BCE8-42D9-83D4-5F316F5F607B-- --Apple-Mail=_F2665084-9FD9-4017-B8F0-8E6ABE6D424C-- ``` When such a (forwarded mail) arrives at the mailing list server, it is held back for moderation. In the moderation dialog box (Postorius) I can see the attachment and can also open it locally for review. I then accept the mail for list delivery and when delivered the PDF attachment is gone. The resulting mail structure looks like this: ``` [...] From: [...] Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Message-Id: [...] References: [...] To: Date: Mon, 20 Apr 2020 09:33:12 +0200 X-Mailer: Apple Mail (2.3273) [...] X-MailFrom: [...] X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: [...] X-Message-ID-Hash: [...] X-Mailman-Approved-At: Mon, 20 Apr 2020 17:09:31 +0200 X-Content-Filtered-By: Mailman/MimeDel 3.3.0 X-Mailman-Version: 3.3.0 Precedence: list Subject: =?utf-8?q?=5BTest-Klasse=5D_?= Fwd: [...] List-Id: [...] Archived-At: [...] List-Archive: [...] List-Help: [...] List-Post: NO List-Subscribe: [...] List-Unsubscribe: [...] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 [...] [... base64 encoded utf8 text ...] ``` Does this ring a bell for someone? Is it a known issue that has been fixed after 3.3.0 was released? Or is it a new phenomenon that needs to be tracked down? light+love Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpSsi4yTschJ.pgp Description: Digitale PGP-Signatur ___ Mailman-Developers mailing list -- mailman-developers@python.org To unsubscribe send an email to mailman-developers-le...@python.org https://mail.python.org/mailman3/lists/mailman-developers.python.org/ Mailman FAQ: https://wiki.list.org/x/AgA3 Security Policy: https://wiki.list.org/x/QIA9
[Mailman-Developers] MIME type filtering
Hi all, a more general question... In Mailman2 one could filter MIME type based on file suffix and/or MIME type name. Is this possible already in Mailman3? How is that done? Or is it on the feature wishlist still? Or just not configurable via Postorius? Thanks for any sort of feedback, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpVuY0FLT4PC.pgp Description: Digitale PGP-Signatur ___ Mailman-Developers mailing list -- mailman-developers@python.org To unsubscribe send an email to mailman-developers-le...@python.org https://mail.python.org/mailman3/lists/mailman-developers.python.org/ Mailman FAQ: https://wiki.list.org/x/AgA3 Security Policy: https://wiki.list.org/x/QIA9