[Mailman-Users] Somebody could not subscribe to pypy-dev at python.org

Mark Sapiro mark at msapiro.net
Thu Apr 23 01:52:33 CEST 2015 

On 4/22/15 3:11 PM, Laura Creighton wrote:
> In a message of Wed, 22 Apr 2015 14:34:00 -0700, Mark Sapiro
> writes:
>> 
>> It is conceivable that some browser could corrupt the
>> sub_form_token value upon submission if and only if the password
>> fields are empty, but as I say, it's a stretch.
> 
> And this is upside-down from his experience.  Things go _fine_
> when the password fields are empty, it is just when he fills them
> out that things did not work.


My mistake. I meant non-empty. And as far as "things go fine", I
suspect it's really "things went fine once and the password fields
happened to be empty that one time".


>> When did this issue occur? I have looked at the web server logs
>> back to March 30, and every POST to mailman/subscribe/pypy-dev in
>> those logs is from a bot attempting to subscribe to many lists.
> 
> Yesterday. At Tue, 21 Apr 2015 18:05:56 -0000 he sent a mail to
> pypy-dev-owner (me) complaining about his problem and asking if we
> could fix it, so sometime before but close to then I would guess.


Yes. I saw the dates in the email, and as I say, I looked at the
server logs all the way back to March 30 and I see no evidence of a
successful subscribe to pypy-dev and all the unsuccessful ones appear
to be just the kind of bot activity we are trying to thwart.


>> The only way the 'You must GET the form before submitting it.'
>> message is issued is if the time is within the 1 hour >= time >=
>> 5 seconds window and the hash doesn't match. This could occur if
>> the user is accessing the site through some kind of proxy or
>> other device which submits the form from a different IP than the
>> one that got it.
> 
> I will ask about this.  He is using stock chrome with no
> adblocking plugins -- no plugins at all, as this is a new machine
> and he hasn't got around to installing anything yet.


It wouldn't be his machine. It would be something between his machine
and mail.python.org. Perhaps some kind of load balancer or other
device which submits each separate http request from one of a pool of
IP addresses. Thus, the subscribe only works if whatever it is uses
the same IP for both the GET and POST and the presence/absence of a
password is just a coincidence.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    Better use your sense - B. Dylan

More information about the Mailman-Users mailing list