[Mailman-Developers] privacy problems with web interface

Barry A. Warsaw barry@zope.com
Thu, 11 Oct 2001 18:54:04 -0400 

>>>>> "FG" == Federico Grau <donfede@casagrau.org> writes:

    FG> As distributed, Mailman makes it trivial to discover 
    FG> if a given address is in fact a subscriber. If you suspect
    FG> dev@null.com has joined a list, go to the user page and
    FG> enter his address to subscribe; you'll get back a revealing
    FG> reply 'You already belong, dummy'..

What we can do for MM2.1 is, if the subscriber list is not public,
i.e. private_roster is not "Anyone", then if they attempt to subscribe
an already subscribed address, we can show them a results page that
looks no different whether they actually are subscribed or not.

Then if they are subscribed, we'll send the user a message saying
somebody tried to subscribe their address (should we email the admin
too?).  If they aren't subscribed, then we'll do the normal routine.

(I need to make sure the web message you'd see is identical regardless
of whether you're subscribed or not.  That's a little tricky, but
doable.)

    FG> We looked at modifying the html on the user pages but the
    FG> python module "handle_opts" seems hard-coded into giving
    FG> revealing responses.  We also glanced at Mailman 2.0.6 but it
    FG> seemed to offer the same behavior.

    FG> Has anyone else already looked into this issue, and proposed
    FG> code to solve it? We are considering writing a patch for
    FG> "handle_opts" and and submitting it but 1) don't want to fork
    FG> the code, and 2) don't want to duplicate/waste the effort.

In MM2.1, this is done by the options.py cgi script.  Here we need to
do something similar, but again, it's a little tricky.

If the user is subscribed, and a url containing their email address is
given, then they are presented with a page prompting only for their
password.  If the email address is incorrect, or missing in the url,
then they are prompted for both their address and password.

This needs to change such that if private_roster is not "Anyone", then
the same sets of prompts will be given regardless of whether the
address is a member or not.  That leads me to think that if
private_roster <> "Anyone" then if any email address is given, we'll
only prompt for the password.  Obviously, there'll be no matching
password, so the error condition in both cases will be to return them
to the options prompt page, asking for both email address and
password.

This should avoid leaking any membership information.  I'll work on
getting that into MM2.1.  Watch CVS.

-Barry