[Mailman-Developers] Yet another weird-a$$ potential attack
problem...
Barry A. Warsaw
barry@zope.com
Fri, 5 Apr 2002 09:56:31 -0500
>>>>> "CVR" == Chuq Von Rospach <chuqui@plaidworks.com> writes:
CVR> How about keeping the reply model, but requiring the reply
CVR> come from the address being subscribed?
It was, at one point, a requirement. Say I subscribe to a list via
the web, typing in my work address. But my work address forwards to
my home address, so I see the confirmation at home. Now I reply but I
don't know how to fiddle with my From: header to make it look like the
reply came from my work address. I can't subscribe.
So you ask, why would I have subscribed my work address if I'm going
to be reading (and replying to) it from home? Maybe it's a list
related to my technical responsibilities at work and I've been
"asked" by management to advertise my work address. But the same
management doesn't really care where I read my email as long as I get
my job done.
It never mattered in the world of wide-open posting rules. In a
predominantly members-only world it probably makes less sense for me
to play these games. But in a (future) world where I can attach
several email addresses to my account, maybe it matters more.
Regardless, it's too late in the game to change this for MM2.1. Let's
see where the world is for the next version -- maybe it makes sense to
change (or make configurable) this policy.
-Barry