Mailman 2.1.4
We mass subscribed an automatically generated list of
addresses. One of these contained an ascii Vertical-Tab
character. The (somewhat munged for privacy) address in
the mass subscribe list was
lauxxxxxher@comcast.net<VT>rixxxxxher where <VT>
represents ascii Vertical Tab (hex 0B).
The address was subscribed OK and then noticed to be
bad. We followed the link from the member list to that
member's option page an attempted to unsubscribe it and
"encountered a bug". This happened twice in succession
and then a third time about an hour later. The error
log entry from the first try is attached (with the same
address munging). Another list administrator tried the
same thing the next morning and that time it worked. We
don't know why what we think was the same unsubscribe
procedure didn't work 3 times and then worked the next day.
the following is in Utils.py
# TBD: what other characters should be disallowed?
_badchars = re.compile(r'[][()<>|;^,/\200-\377]')
A fix might be to add the range \000-\037 to the
_badchars re, but this may not be correct. It is not
clear whether they should be allowed.
RFC 2822 allows "non white space" control characters in
domain-literals, but not in local-parts of addresses.
However, RFC 2821 (SMTP) says:
A domain (or domain name) consists of one or more
dot-separated
components. These components ("labels" in DNS
terminology) are
restricted for SMTP purposes to consist of a
sequence of letters,
digits, and hyphens drawn from the ASCII character set.
Thus, it seems that for Mailman purposes it would be
safe to not allow any of \000-\037 in addresses.
Error log entry
Logged In: YES
user_id=110886
As a side note, if you have problems with illegal
characters in subscribed addresses, here's the relevant FAQ
entry:
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.013.htp
Logged In: YES
user_id=67709
uploading a patch to fix this and other.
Logged In: YES
user_id=1123998
I see the patch changes Utils.py as follows:
-_badchars = re.compile(r'[][()<>|;^,/\200-\377]')
+_badchars = re.compile(r'[][()<>|;^,\000-\037\200-\377]')
Per discussion on mailman-developers list, I think \177
should also be disallowed:
+_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
badchar.patch updated
Logged In: YES
user_id=67709
sorry, I am now updating the patch.
Logged In: YES
user_id=67709
Closing for merged in CVS:
Checking in SecurityManager.py;
new revision: 2.20.2.4; previous revision: 2.20.2.3
Checking in Utils.py;
new revision: 2.45.2.9; previous revision: 2.45.2.8