Re: [Mailman-Users] What does mailman do with a POST?

2018-07-31 Thread Mark Sapiro 
On 07/31/2018 06:15 PM, Bernie Cosell wrote:
> 
> 'cookie2' => '$Version="1"',
> 'csrf-token' => 
> '...',
> 'setmemberopts-btn' => 'Submit Your Changes',
>  'cookie' => 
> 'testlist-fantasyfarm.com+admin=...',
>  'user-agent' => 'Mozilla/5.0',
>  'unsubscribees' => 'bernie'
> 
>  '_method' => 'POST',
> '_uri' => 
> http://lists.fantasyfarm.com/admin.cgi/testlist-fantasyfarm.com/member
> s/remove')}, 'URI::http' ),
> 
> And the page I got back was the remove page -- no error no success [it 
> should be an error, since I'm not subscribed to the list I'm playing 
> with..:o)]
> Do I have to do something special with the data for the 'unsubscribees' ?  I 
> know it is a TEXTAREA -- but I just assumed I could pass it a string and 
> that'd be OK.


The above should be OK. The unsubscribees should be a string of email
address and/or display_name  lines separated by newlines, but
just "bernie" should be enough to give the error.

I note however that I went to
http://lists.fantasyfarm.com/listinfo.cgi/testlist-fantasyfarm.com just
to see it, and I can see by the form of the URL ythat this is a modified
Mailman. Primarily the fact that the listname in the URL is
'testlist-fantasyfarm.com' rather than just 'testlist' indicates that
this is a Mailman modified to support lists in multiple domains without
list name collisions. Also, the footer has no link to the listinfo overview.

Without knowing what the mods are, it's hard for me to be definitive
about anything, however if your script is posting the same data that a
web browser would post, it SHOULD work.

Further, If the CGI is comparable to the standard one, the fact that you
don't get a message about form lifetime expired means it gets your
csrf_token OK and the fact that you don't get the login page in return
means it gets your cookie OK and all you should need beyond that to at
least get an error is a non-blank unsubscribees value.

Thus, I don't know what's going on.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] What does mailman do with a POST?

2018-07-31 Thread Mark Sapiro 
On 07/31/2018 06:15 PM, Bernie Cosell wrote:

>  'cookie' => 
> 'testlist-fantasyfarm.com+admin=.',


I recognize this is a test list and you may not care, but that cookie
allows anyone to access the web admin UI for the list until you change
the admin password.


-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] What does mailman do with a POST?

2018-07-31 Thread Richard Damon 
On 7/31/18 9:32 PM, Bernie Cosell wrote:
> On 31 Jul 2018 at 21:25, Richard Damon wrote:
>
>> On 7/31/18 9:15 PM, Bernie Cosell wrote:
>>> Here's the request I just sent:
>>>
>>> 'setmemberopts-btn' => 'Submit Your Changes',
>>>  'cookie' => 
>>>  'unsubscribees' => 'bernie'
>>> 
>>>  '_method' => 'POST',
>>> '_uri' => 
>>>
>>> Do I have to do something special with the data for the
>> 'unsubscribees' ?  I 
>>> know it is a TEXTAREA -- but I just assumed I could pass it a string
>> and 
>>> that'd be OK.
>> With Mailman2, submitting a non-subscribed email address to the
>> unsubscribe link doesn't give an error message.
> Hmm.  the server is running  2.1.23 and I just tried unsubscribing "bernie" 
> again from my web browser [and I'm still not on the list..:o)]  and I got:
> ---
> Cannot unsubscribe non-members:
>
> bernie 
> -
> in bold red letters at the top and then it is followed by the rest of the 
> HTML 
> for the mass-removal page.
>
>   /B\
>  If you read the text
>> sent back, it says something like IF you were subscribed, and email
>> will
>> be set to your email address to confirm the unsubscription. I presume
>> this is part of Mailmans privacy policy to not let people find out if
>> someone is subscribed to a list (assuming the list doesn't post the
>> subscriber list).
>>
>>
>> -- 
>> Richard Damon
>>
>> --
>> Mailman-Users mailing list Mailman-Users@python.org
>> https://mail.python.org/mailman/listinfo/mailman-users
>> Mailman FAQ: http://wiki.list.org/x/AgA3
>> Security Policy: http://wiki.list.org/x/QIA9
>> Searchable Archives:
>> http://www.mail-archive.com/mailman-users%40python.org/
>> Unsubscribe:
>> https://mail.python.org/mailman/options/mailman-users/bernie%40fantasyfa
>> rm.com
>
> Bernie Cosell
>ber...@fantasyfarm.com
> -- Too many people; too few sheep --
>
Sorry, I was thinking of the member unsubscribed page, not the admin page.
The admin does know who is subscribed so no hiding is needed.

One thought is could the anti-robot code be affecting you here, and you
need to add a pause between getting the token and submitting the form to
look like a human (it really shouldn't need to be active on admin pages,
but I don't know if it makes the distinction.)

-- 
Richard Damon

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] What does mailman do with a POST?

2018-07-31 Thread Bernie Cosell 
On 31 Jul 2018 at 21:25, Richard Damon wrote:

> On 7/31/18 9:15 PM, Bernie Cosell wrote:

> > Here's the request I just sent:
> >
> > 'setmemberopts-btn' => 'Submit Your Changes',
> >  'cookie' => 
> >  'unsubscribees' => 'bernie'
> > 
> >  '_method' => 'POST',
> > '_uri' => 
> >
> > Do I have to do something special with the data for the
> 'unsubscribees' ?  I 
> > know it is a TEXTAREA -- but I just assumed I could pass it a string
> and 
> > that'd be OK.

> With Mailman2, submitting a non-subscribed email address to the
> unsubscribe link doesn't give an error message.

Hmm.  the server is running  2.1.23 and I just tried unsubscribing "bernie" 
again from my web browser [and I'm still not on the list..:o)]  and I got:
---
Cannot unsubscribe non-members:

bernie 
-
in bold red letters at the top and then it is followed by the rest of the HTML 
for the mass-removal page.

  /B\
 If you read the text
> sent back, it says something like IF you were subscribed, and email
> will
> be set to your email address to confirm the unsubscription. I presume
> this is part of Mailmans privacy policy to not let people find out if
> someone is subscribed to a list (assuming the list doesn't post the
> subscriber list).
> 
> 
> -- 
> Richard Damon
> 
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe:
> https://mail.python.org/mailman/options/mailman-users/bernie%40fantasyfa
> rm.com


Bernie Cosell
   ber...@fantasyfarm.com
-- Too many people; too few sheep --
   



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] What does mailman do with a POST?

2018-07-31 Thread Richard Damon 
On 7/31/18 9:15 PM, Bernie Cosell wrote:
> On 31 Jul 2018 at 15:53, Mark Sapiro wrote:
>
>> On 07/30/2018 05:08 AM, Bernie Cosell wrote:
>>> I'm trying to submit a form or two from a program and I can't quite 
>>> understand Mailman's form handling, this with Mailman 2.1.23.
>>> What does Mailman do to when receiving a POST to decide if there's 
>>> something to do or not?  THANKS!
>>
>> It looks at the POST data. In the case of the admin CGI just returning
>> the Mass Removals form with no errors and no changes, this means it
>> got
>> the right path to LISTNAME/members/remove and it got a good
>> csrf_token.
> That's a start... :o)  
>
>> Given that, the only way it would return the form with no message is
>> if
>> it got no non-blank values for unsubscribees or unsubscribees_upload.
>>
>> You refer to csrf_token as csrf_object. If you are really submitting
>> the
>> value as csrf_object, that wouldn't work, but you should get an error.
> Right , I mistyped..  I still don't understand why I'm not getting anything.  
> Here's the request I just sent:
>
> 'cookie2' => '$Version="1"',
> 'csrf-token' => 
> '280200694a07615b734700746573746c6973742d66616e74617379666
> 1726d2e636f6d2b61646d696e3a3139376633326633636638316533393631
> 656132313039623235383137343533386232366139',
> 'setmemberopts-btn' => 'Submit Your Changes',
>  'cookie' => 
> 'testlist-fantasyfarm.com+admin=280200694a07615b732800313937
> 66333266336366383165333936316561323130396232353831373435333862
> 32366139',
>  'user-agent' => 'Mozilla/5.0',
>  'unsubscribees' => 'bernie'
> 
>  '_method' => 'POST',
> '_uri' => 
> http://lists.fantasyfarm.com/admin.cgi/testlist-fantasyfarm.com/member
> s/remove')}, 'URI::http' ),
>
> And the page I got back was the remove page -- no error no success [it 
> should be an error, since I'm not subscribed to the list I'm playing 
> with..:o)]
> Do I have to do something special with the data for the 'unsubscribees' ?  I 
> know it is a TEXTAREA -- but I just assumed I could pass it a string and 
> that'd be OK.
>
> Thanks for the help!
>   /Bernie\
> Bernie Cosell
>ber...@fantasyfarm.com
> -- Too many people; too few sheep --
>
With Mailman2, submitting a non-subscribed email address to the
unsubscribe link doesn't give an error message. If you read the text
sent back, it says something like IF you were subscribed, and email will
be set to your email address to confirm the unsubscription. I presume
this is part of Mailmans privacy policy to not let people find out if
someone is subscribed to a list (assuming the list doesn't post the
subscriber list).


-- 
Richard Damon

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] What does mailman do with a POST?

2018-07-31 Thread Bernie Cosell 
On 31 Jul 2018 at 15:53, Mark Sapiro wrote:

> On 07/30/2018 05:08 AM, Bernie Cosell wrote:

> > I'm trying to submit a form or two from a program and I can't quite 
> > understand Mailman's form handling, this with Mailman 2.1.23.

> > What does Mailman do to when receiving a POST to decide if there's 
> > something to do or not?  THANKS!
> 
> 
> It looks at the POST data. In the case of the admin CGI just returning
> the Mass Removals form with no errors and no changes, this means it
> got
> the right path to LISTNAME/members/remove and it got a good
> csrf_token.

That's a start... :o)  

> Given that, the only way it would return the form with no message is
> if
> it got no non-blank values for unsubscribees or unsubscribees_upload.
> 
> You refer to csrf_token as csrf_object. If you are really submitting
> the
> value as csrf_object, that wouldn't work, but you should get an error.

Right , I mistyped..  I still don't understand why I'm not getting anything.  
Here's the request I just sent:

'cookie2' => '$Version="1"',
'csrf-token' => 
'280200694a07615b734700746573746c6973742d66616e74617379666
1726d2e636f6d2b61646d696e3a3139376633326633636638316533393631
656132313039623235383137343533386232366139',
'setmemberopts-btn' => 'Submit Your Changes',
 'cookie' => 
'testlist-fantasyfarm.com+admin=280200694a07615b732800313937
66333266336366383165333936316561323130396232353831373435333862
32366139',
 'user-agent' => 'Mozilla/5.0',
 'unsubscribees' => 'bernie'

 '_method' => 'POST',
'_uri' => 
http://lists.fantasyfarm.com/admin.cgi/testlist-fantasyfarm.com/member
s/remove')}, 'URI::http' ),

And the page I got back was the remove page -- no error no success [it 
should be an error, since I'm not subscribed to the list I'm playing with..:o)]
Do I have to do something special with the data for the 'unsubscribees' ?  I 
know it is a TEXTAREA -- but I just assumed I could pass it a string and 
that'd be OK.

Thanks for the help!
  /Bernie\
Bernie Cosell
   ber...@fantasyfarm.com
-- Too many people; too few sheep --
   



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] What does mailman do with a POST?

2018-07-31 Thread Mark Sapiro 
On 07/30/2018 05:08 AM, Bernie Cosell wrote:
> I'm trying to submit a form or two from a program and I can't quite 
> understand Mailman's form handling, this with Mailman 2.1.23.
> 
> What I've done is a little program that does something simple: it first 
> authenticates [and gets the appropriate cookies], then I GET the 
> mass-removal page [to get its csrf_object.  Then I do a simple POST with 
> just three form fields:
> 
> csrf_object=>  
> unsubscribees  => the email address,
> 'setmemberopts_btn  => 'Submit Your Changes'
> 
> The response I get back is the original page - no error and no success, just 
> the mass-removal page again.  It is what would happen if you clicked on 
> the submit button without giving it anything to do
> 
> I've also tried a similar POSTing with every field from the form included, 
> and always the same: a 200 response and I get the mass-removal page back 
> again.   I'd look at the code, but I'm a perl guy -- never messed with python.
> 
> What does Mailman do to when receiving a POST to decide if there's 
> something to do or not?  THANKS!


It looks at the POST data. In the case of the admin CGI just returning
the Mass Removals form with no errors and no changes, this means it got
the right path to LISTNAME/members/remove and it got a good csrf_token.

Given that, the only way it would return the form with no message is if
it got no non-blank values for unsubscribees or unsubscribees_upload.

You refer to csrf_token as csrf_object. If you are really submitting the
value as csrf_object, that wouldn't work, but you should get an error.

If you are using some kind of framework for submitting the post that
would receive a redirect response of some kind and transparently do the
redirection (eg http -> https) before returning the result, this could
be  so see that.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org