Menu

#932 Mass Subscribe address with control character - can't delete

2.1 (stable)
closed
5
2004-10-09
2004-09-18
Mark Sapiro
No

Mailman 2.1.4

We mass subscribed an automatically generated list of
addresses. One of these contained an ascii Vertical-Tab
character. The (somewhat munged for privacy) address in
the mass subscribe list was
lauxxxxxher@comcast.net<VT>rixxxxxher where <VT>
represents ascii Vertical Tab (hex 0B).

The address was subscribed OK and then noticed to be
bad. We followed the link from the member list to that
member's option page an attempted to unsubscribe it and
"encountered a bug". This happened twice in succession
and then a third time about an hour later. The error
log entry from the first try is attached (with the same
address munging). Another list administrator tried the
same thing the next morning and that time it worked. We
don't know why what we think was the same unsubscribe
procedure didn't work 3 times and then worked the next day.

the following is in Utils.py

# TBD: what other characters should be disallowed?
_badchars = re.compile(r'[][()<>|;^,/\200-\377]')

A fix might be to add the range \000-\037 to the
_badchars re, but this may not be correct. It is not
clear whether they should be allowed.

RFC 2822 allows "non white space" control characters in
domain-literals, but not in local-parts of addresses.
However, RFC 2821 (SMTP) says:
A domain (or domain name) consists of one or more
dot-separated
components. These components ("labels" in DNS
terminology) are
restricted for SMTP purposes to consist of a
sequence of letters,
digits, and hyphens drawn from the ASCII character set.

Thus, it seems that for Mailman purposes it would be
safe to not allow any of \000-\037 in addresses.

Discussion

  • Mark Sapiro

    Mark Sapiro - 2004-09-18

    Error log entry

     
  • Terri Oda

    Terri Oda - 2004-09-18

    Logged In: YES
    user_id=110886

    As a side note, if you have problems with illegal
    characters in subscribed addresses, here's the relevant FAQ
    entry:

    http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.013.htp

     
  • Tokio Kikuchi

    Tokio Kikuchi - 2004-09-20
    • assigned_to: nobody --> tkikuchi
     
  • Tokio Kikuchi

    Tokio Kikuchi - 2004-09-20

    Logged In: YES
    user_id=67709

    uploading a patch to fix this and other.

     
  • Mark Sapiro

    Mark Sapiro - 2004-09-20

    Logged In: YES
    user_id=1123998

    I see the patch changes Utils.py as follows:

    -_badchars = re.compile(r'[][()<>|;^,/\200-\377]')
    +_badchars = re.compile(r'[][()<>|;^,\000-\037\200-\377]')

    Per discussion on mailman-developers list, I think \177
    should also be disallowed:

    +_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')

     
  • Tokio Kikuchi

    Tokio Kikuchi - 2004-09-21

    badchar.patch updated

     
  • Tokio Kikuchi

    Tokio Kikuchi - 2004-09-21

    Logged In: YES
    user_id=67709

    sorry, I am now updating the patch.

     
  • Tokio Kikuchi

    Tokio Kikuchi - 2004-10-09
    • status: open --> closed
     
  • Tokio Kikuchi

    Tokio Kikuchi - 2004-10-09

    Logged In: YES
    user_id=67709

    Closing for merged in CVS:

    Checking in SecurityManager.py;
    new revision: 2.20.2.4; previous revision: 2.20.2.3
    Checking in Utils.py;
    new revision: 2.45.2.9; previous revision: 2.45.2.8

     

Log in to post a comment.