[Mailman-Developers] probing list names, and subscribers
britt
bolen@hcs.harvard.edu
Sat, 15 Apr 2000 02:45:52 -0400 (EDT)
I noticed there were a message or two about the ability to probe for list
membership, and list existance, even when privacy features have been
turned on. I didn't see anything about this in the To-Do list.
Has anyone made any noise about working on this problem?
I see it as two fold, one list names can be probed for existance. The
same thing for membership simply by guessing names to go after
http://host/mailman/admin and http://host/mailman/options/ This defeats
the purpose of having private lists, which is an absolute necessity for my
system.
I think both of these can be easily fixed, and I'm more than willing to do
the coding (i needed an excuse to learn yet another language)
For lists, if the list doesn't exist, don't give a failure page, but give
the password page, and then always fail, giving no clue if the list name
or the password is the problem.
For users, just ALWAYS produce the user options page, and then do a
password fail if they try to submit anything.
This can produce more work for the mailman admin, as the legit users are
less sure about why an action is not working.
Comments? Suggestions? Pointers to python docs ;)
thanks,
Britt
Head Admin, Harvard Computer Society, and majordomo flunkie
-----------------------------------------------------------------------
Britt Bolen britt@bolen.com britt.bolen.com