diff options
| author | klm | 1998-07-12 03:22:42 +0000 |
|---|---|---|
| committer | klm | 1998-07-12 03:22:42 +0000 |
| commit | 496988dcbff4c39a61009d2f1a7bccf921e1c232 (patch) | |
| tree | cf35b843f25bf60087cb5c45dbbd9991a3c23159 /Mailman/MailCommandHandler.py | |
| parent | 262e7302dc79352e1dc3c2ebfb4fe80803a5b835 (diff) | |
| download | mailman-496988dcbff4c39a61009d2f1a7bccf921e1c232.tar.gz mailman-496988dcbff4c39a61009d2f1a7bccf921e1c232.tar.zst mailman-496988dcbff4c39a61009d2f1a7bccf921e1c232.zip | |
Informatively reject mail-command attempts to subscribe
already-subscribed members. (The prior checkin was for web-based
subscription attempts.)
NOTE that both these already-subscribed actions can constitute privacy
leaks - someone could venture subscription attempts with addresses
which they are trying to test for already-existing membership - and
this response will provide unequivocal confirmation in the cases when
the addresses are subscribed.
One possible remedy is to send the refusal to the address being
subscribed. This way the person taking the action gets no additional
info unless they have access to the subscribees email channel.
Problem with this is that it complicates the mail-command refusal
process substantially, since it's currently geared, very simply, to
send the refusal to the requesting address. Do we think the privacy
leak is important enough to fill this hole?
Diffstat (limited to 'Mailman/MailCommandHandler.py')
| -rw-r--r-- | Mailman/MailCommandHandler.py | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/Mailman/MailCommandHandler.py b/Mailman/MailCommandHandler.py index 8e4bf7e32..f2686d431 100644 --- a/Mailman/MailCommandHandler.py +++ b/Mailman/MailCommandHandler.py @@ -400,7 +400,8 @@ class MailCommandHandler: password = "%s%s" % (Utils.GetRandomSeed(), Utils.GetRandomSeed()) elif len(args) > 3: - self.AddError("Usage: subscribe [password] [digest|nodigest] [address=<email-address>]") + self.AddError("Usage: subscribe [password] " + "[digest|nodigest] [address=<email-address>]") return else: for arg in args: @@ -416,7 +417,8 @@ class MailCommandHandler: password = arg else: self.AddError("Usage: subscribe [password] " - "[digest|nodigest] [address=<email-address>]") + "[digest|nodigest] " + "[address=<email-address>]") return if not password: password = "%s%s" % (Utils.GetRandomSeed(), @@ -425,6 +427,9 @@ class MailCommandHandler: pending_addr = mail.GetSender() else: pending_addr = address + if self.FindUser(pending_addr): + self.AddError("%s is already a list member." % pending_addr) + return cookie = Pending.gencookie() Pending.add2pending(pending_addr, password, digest, cookie) text = Utils.maketext( @@ -469,7 +474,7 @@ class MailCommandHandler: except: # TODO: Should log the error we got if we got here. self.AddError("An unknown Mailman error occured.") - self.AddError("Please forward on your request to %s" % + self.AddError("Please forward your request to %s" % self.GetAdminEmail()) self.AddError("%s" % sys.exc_type) |