From mark at msapiro.net Mon Jul 2 18:27:24 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 02 Jul 2018 22:27:24 -0000 Subject: [Bug 1779774] [NEW] The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. Message-ID: <153057044510.29762.1368577406966995463.malonedeb@wampee.canonical.com> Public bug reported: The feature looks up domain.tld.zen.spamhaus.org. This is not correct. It should look up domain.tld.dbl.spamhaus.org. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779774 Title: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779774/+subscriptions From 1779774 at bugs.launchpad.net Mon Jul 2 18:37:46 2018 From: 1779774 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Mon, 02 Jul 2018 22:37:46 -0000 Subject: [Bug 1779774] Re: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. References: <153057044510.29762.1368577406966995463.malonedeb@wampee.canonical.com> Message-ID: <153057107024.24781.8778560008169530683.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779774 Title: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779774/+subscriptions From mark at msapiro.net Mon Jul 2 18:38:04 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 02 Jul 2018 22:38:04 -0000 Subject: [Bug 1779774] Re: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. References: <153057044510.29762.1368577406966995463.malonedeb@wampee.canonical.com> Message-ID: <153057108486.12646.17500082376834086037.launchpad@gac.canonical.com> ** Changed in: mailman Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779774 Title: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779774/+subscriptions From jimpop at domainmail.org Mon Jul 2 18:45:24 2018 From: jimpop at domainmail.org (Jim Popovitch) Date: Mon, 02 Jul 2018 22:45:24 -0000 Subject: [Bug 1779774] Re: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. References: <153057044510.29762.1368577406966995463.malonedeb@wampee.canonical.com> Message-ID: <153057152468.29565.676531683141571519.malone@wampee.canonical.com> Opps! That's quite an embarrassing error given the whole discussions around ZEN and PBL, etc. :-) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779774 Title: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779774/+subscriptions From mark at msapiro.net Mon Jul 2 19:28:31 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 02 Jul 2018 23:28:31 -0000 Subject: [Bug 1779774] Re: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. References: <153057044510.29762.1368577406966995463.malonedeb@wampee.canonical.com> <153057152468.29565.676531683141571519.malone@wampee.canonical.com> Message-ID: On 7/2/18 3:45 PM, Jim Popovitch wrote: > Opps! That's quite an embarrassing error given the whole discussions > around ZEN and PBL, etc. :-) > Yes, but this stuff happens. I'm glad someone noticed - it was a post to mailman-developers that pointed it out. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779774 Title: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779774/+subscriptions From mark at msapiro.net Tue Jul 3 19:01:31 2018 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 03 Jul 2018 23:01:31 -0000 Subject: [Bug 1779445] Re: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character References: <153035253794.18526.5905648585348856237.malonedeb@chaenomeles.canonical.com> Message-ID: <153065889306.18216.13563692821697626825.malone@chaenomeles.canonical.com> Actually, this behavior was caused by rev. 1188. Unfortunately, I don't recall specifically why I made that change. I will attach a patch of what I have so far. Because the call to websafe comes from htmlformat.TextArea(), I need more testing to see if the other uses of TextArea are adversely impacted. ** Changed in: mailman Importance: Undecided => Medium ** Changed in: mailman Status: New => In Progress ** Changed in: mailman Milestone: None => 2.1.28 ** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779445 Title: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779445/+subscriptions From mark at msapiro.net Tue Jul 3 19:04:43 2018 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 03 Jul 2018 23:04:43 -0000 Subject: [Bug 1779445] Re: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character References: <153035253794.18526.5905648585348856237.malonedeb@chaenomeles.canonical.com> Message-ID: <153065908396.18292.5313011298657842508.malone@chaenomeles.canonical.com> ** Patch added: "Possible fix." https://bugs.launchpad.net/mailman/+bug/1779445/+attachment/5159349/+files/1779445.patch -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779445 Title: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779445/+subscriptions From mark at msapiro.net Tue Jul 3 20:17:25 2018 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 04 Jul 2018 00:17:25 -0000 Subject: [Bug 1779445] Re: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character References: <153035253794.18526.5905648585348856237.malonedeb@chaenomeles.canonical.com> Message-ID: <153066344580.30182.13381569516050777001.launchpad@wampee.canonical.com> ** Patch removed: "Possible fix." https://bugs.launchpad.net/mailman/+bug/1779445/+attachment/5159349/+files/1779445.patch -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779445 Title: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779445/+subscriptions From mark at msapiro.net Tue Jul 3 20:24:18 2018 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 04 Jul 2018 00:24:18 -0000 Subject: [Bug 1779445] Re: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character References: <153035253794.18526.5905648585348856237.malonedeb@chaenomeles.canonical.com> Message-ID: <153066385880.30144.453475330462446611.malone@wampee.canonical.com> Revised possible fix patch. I think the main reason for not double escaping HTML entities was to make HTML text displayed in the admindb interface more readable. This patch will avoid double escaping only in readonly TextArea. ** Patch added: "Possible fix." https://bugs.launchpad.net/mailman/+bug/1779445/+attachment/5159363/+files/1779445.patch -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779445 Title: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779445/+subscriptions From futatuki at poem.co.jp Sat Jul 7 22:50:30 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Sun, 08 Jul 2018 02:50:30 -0000 Subject: [Bug 1779445] Re: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character References: <153035253794.18526.5905648585348856237.malonedeb@chaenomeles.canonical.com> Message-ID: <153101823026.13372.14239573244881414388.malone@gac.canonical.com> I understand that your fix is to preserve character entity reference in the text of TextArea through the post method and I made sure it have been fixed in Rev 1788. Thank you. I think one more problem about charset of query strings from Text or TextArea which is not restricted to ascii text for all language. If a text contains raw non-ascii character, its charset depends on implementation of browsers, even if the HTML 4.01 specification mentions its default is "UNKNOWN", which means "User agents may interpret this value as the character encoding that was used to transmit the document containing this FORM element." (https://www.w3.org/TR/html401/interact/forms.html) It seems that it is not a problem in most case on browsers nowadays respecting the specification, but it is still problem in some case. At least I put into non-breaking space ('\xa0' in iso-8859-1) character in Text field in us-ascii form using Firefox 61 on FreeBSD, it encoded as '%A0' in query string although characters in Unicode are encoded as numeric character references. The code to handle this special care for 'us-ascii' is found in Utils.canonstr(), so it may be needed to use it in some place including TextArea in edithtml.py (Though using non-ascii characters in us-ascii form is irregular, of course) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779445 Title: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779445/+subscriptions From mark at msapiro.net Sun Jul 8 11:11:51 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 08 Jul 2018 15:11:51 -0000 Subject: [Bug 1779445] Re: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character References: <153035253794.18526.5905648585348856237.malonedeb@chaenomeles.canonical.com> Message-ID: <153106271175.17821.13001150467256231231.malone@chaenomeles.canonical.com> I think the issue in the original description is fixed and that described in comment #5 is a different issue. If you think this is a significant issue that needs to be fixed, please open a new bug for it. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779445 Title: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779445/+subscriptions From futatuki at poem.co.jp Sun Jul 8 18:09:24 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Sun, 08 Jul 2018 22:09:24 -0000 Subject: [Merge] lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1 Message-ID: <153108776127.6966.7803170196263134955.launchpad@ackee.canonical.com> Yasuhito FUTATSUKI at POEM has proposed merging lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1. Commit message: Allow to edit templates other than lists preferred language Requested reviews: Mailman Coders (mailman-coders) For more details, see: https://code.launchpad.net/~futatuki/mailman/edithtml-lang-select/+merge/349101 This enables to edit templates for available languages without changing preferred_language temporary. * Add language selecter to template editing page (if the list has multiple available language) * Add link from editing page to template selection page -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1. -------------- next part -------------- A non-text attachment was scrubbed... Name: review-diff.txt Type: text/x-diff Size: 3878 bytes Desc: not available URL: From futatuki at poem.co.jp Sun Jul 8 18:26:37 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Sun, 08 Jul 2018 22:26:37 -0000 Subject: [Bug 1779445] Re: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character References: <153035253794.18526.5905648585348856237.malonedeb@chaenomeles.canonical.com> Message-ID: <153108879778.6602.434538670731721483.malone@soybean.canonical.com> I don't think it is a significant, as I mentioned comment #5 in last sentence within the ()'s. So I won't open a bug for it. I'm sorry to bother you. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779445 Title: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779445/+subscriptions From noreply at launchpad.net Sun Jul 8 22:03:05 2018 From: noreply at launchpad.net (noreply at launchpad.net) Date: Mon, 09 Jul 2018 02:03:05 -0000 Subject: [Merge] lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1 In-Reply-To: <153108776127.6966.7803170196263134955.launchpad@ackee.canonical.com> Message-ID: <153110178283.24459.1364092877339655379.launchpad@ackee.canonical.com> The proposal to merge lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1 has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~futatuki/mailman/edithtml-lang-select/+merge/349101 -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1. From futatuki at poem.co.jp Sun Jul 8 23:18:22 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Mon, 09 Jul 2018 03:18:22 -0000 Subject: [Merge] lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1 Message-ID: <153110630002.32069.13194645465635538839.launchpad@ackee.canonical.com> Yasuhito FUTATSUKI at POEM has proposed merging lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1. Commit message: fix layout problem of previous merge Requested reviews: Mailman Coders (mailman-coders) For more details, see: https://code.launchpad.net/~futatuki/mailman/edithtml-lang-select/+merge/349104 I'm very sorry, previous merge proposal has a problem about page layout, two link "View or edit the list configuration information." and "Edit the public HTML pages and textfiles" are connected without separator. This is a fix of it, inserting '
' tag between them. -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1. From mark at msapiro.net Sun Jul 8 23:24:00 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 09 Jul 2018 03:24:00 -0000 Subject: [Merge] lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1 In-Reply-To: <153110630002.32069.13194645465635538839.launchpad@ackee.canonical.com> Message-ID: <153110663984.29952.8406802731500297357.codereview@wampee.canonical.com> I already made that change. See line 206 at -- https://code.launchpad.net/~futatuki/mailman/edithtml-lang-select/+merge/349104 Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1. From futatuki at poem.co.jp Sun Jul 8 23:27:03 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Mon, 09 Jul 2018 03:27:03 -0000 Subject: [Merge] lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1 In-Reply-To: <153110630002.32069.13194645465635538839.launchpad@ackee.canonical.com> Message-ID: <153110682272.12680.7793521760608436460.codereview@gac.canonical.com> Oh, I'm very sorry, and thank you very much! -- https://code.launchpad.net/~futatuki/mailman/edithtml-lang-select/+merge/349104 Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/edithtml-lang-select into lp:mailman/2.1. From mark at msapiro.net Mon Jul 9 19:16:13 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 09 Jul 2018 23:16:13 -0000 Subject: [Bug 1780874] [NEW] Arbitrary text injection vulnerability in Mailman CGIs Message-ID: <153117817368.30346.7961140519157314478.malonedeb@chaenomeles.canonical.com> *** This bug is a security vulnerability *** Private security bug reported: A URL with a very long text listname such as http://www.example.com/mailman/listinfo/This_is_a_long_string_with_some_phishing_text will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1780874 Title: Arbitrary text injection vulnerability in Mailman CGIs To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1780874/+subscriptions From futatuki at poem.co.jp Wed Jul 11 22:36:24 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Thu, 12 Jul 2018 02:36:24 -0000 Subject: [Merge] lp:~futatuki/mailman/fix-Defaults.py into lp:mailman/2.1 Message-ID: <153136298185.2065.9675592786198259783.launchpad@ackee.canonical.com> Yasuhito FUTATSUKI at POEM has proposed merging lp:~futatuki/mailman/fix-Defaults.py into lp:mailman/2.1. Commit message: add description about IPv6 support of subscribe blocking to Defaults.py.in fix a typo in comment of BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE Requested reviews: Mailman Coders (mailman-coders) For more details, see: https://code.launchpad.net/~futatuki/mailman/fix-Defaults.py/+merge/349388 -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/fix-Defaults.py into lp:mailman/2.1. -------------- next part -------------- A non-text attachment was scrubbed... Name: review-diff.txt Type: text/x-diff Size: 822 bytes Desc: not available URL: From noreply at launchpad.net Wed Jul 11 23:15:41 2018 From: noreply at launchpad.net (noreply at launchpad.net) Date: Thu, 12 Jul 2018 03:15:41 -0000 Subject: [Merge] lp:~futatuki/mailman/fix-Defaults.py into lp:mailman/2.1 In-Reply-To: <153136298185.2065.9675592786198259783.launchpad@ackee.canonical.com> Message-ID: <153136533954.8888.18106141436403988147.launchpad@ackee.canonical.com> The proposal to merge lp:~futatuki/mailman/fix-Defaults.py into lp:mailman/2.1 has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~futatuki/mailman/fix-Defaults.py/+merge/349388 -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/fix-Defaults.py into lp:mailman/2.1. From mark at msapiro.net Sun Jul 15 20:54:50 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 16 Jul 2018 00:54:50 -0000 Subject: [Merge] lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1 In-Reply-To: <153163436082.14053.4634519662883889872.launchpad@ackee.canonical.com> Message-ID: <153170248980.2495.18104268969934493567.codereview@wampee.canonical.com> I have mixed feelings about this MR. On the one hand, it is valid and represents a significant amount of work, and I hate to just ignore it. On the other, I have concerns. While it is true that the URL http://docs.python.org/library/stdtypes.html#string-formatting-operations doesn't go to the relevant Python 3 section of library/stdtypes.html which is https://docs.python.org/3/library/stdtypes.html#printf-style-string-formatting, that Python 3 section is not so different from Python 2 as to be misleading. Likewise, the reference to http://docs.python.org/library/re.html goes to the Python 3 page which is not so different from Python 2 as to be misleading, and the reference to http://www.python.org/doc/current/lib/module-re.html which gives a 404 is only in the 'ca' mailman.po. None of this is really a reason to not fix these things, but my concern is what will happen on 1 January 2020 (see https://pythonclock.org/ ). Are we changing these wrong but not so bad URLs to ones that will 404 in less than 18 months? -- https://code.launchpad.net/~futatuki/mailman/python-doc-url/+merge/349626 Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1. From futatuki at poem.co.jp Sun Jul 15 22:40:17 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Mon, 16 Jul 2018 02:40:17 -0000 Subject: [Merge] lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1 In-Reply-To: <153170248980.2495.18104268969934493567.codereview@wampee.canonical.com> Message-ID: <153170881666.2734.14794350534046995626.codereview@wampee.canonical.com> > I have mixed feelings about this MR. I also have complex feelings about this. > On the one hand, it is valid and represents a significant amount of work, and > I hate to just ignore it. > > On the other, I have concerns. While it is true that the URL > http://docs.python.org/library/stdtypes.html#string-formatting-operations > doesn't go to the relevant Python 3 section of library/stdtypes.html which is > https://docs.python.org/3/library/stdtypes.html#printf-style-string- > formatting, that Python 3 section is not so different from Python 2 as to be > misleading. I think it is hard to search correct section to read if list admins don't so familier with Python. This is why I start to work to fix these URLs. > Likewise, the reference to http://docs.python.org/library/re.html goes to the > Python 3 page which is not so different from Python 2 as to be misleading, and > the reference to http://www.python.org/doc/current/lib/module-re.html which > gives a 404 is only in the 'ca' mailman.po. I agree it is not so problem except the 'ca' mailman.po. This is by-product of fix about stdtypes.html and for consistency of this MP. > None of this is really a reason to not fix these things, but my concern is > what will happen on 1 January 2020 (see https://pythonclock.org/ ). Are we > changing these wrong but not so bad URLs to ones that will 404 in less than 18 > months? On the other hand, there is also no warranty these URLs will not change within 18 months :) Putting that aside, if Python 2 docs will vanish after Jan 2020, our choices will be to link to Python 3 docs (with some comment if needed) or to search and link to appropriate docs (I don't think Python 2 library docs will not be removed even if their URL will be changed). I also started to check other URLs (re)moved or switched to https, but I stopped soon to work farther as I'm not sure it is worth to do so.... -- https://code.launchpad.net/~futatuki/mailman/python-doc-url/+merge/349626 Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1. From futatuki at poem.co.jp Mon Jul 16 03:43:34 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Mon, 16 Jul 2018 07:43:34 -0000 Subject: [Merge] lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1 In-Reply-To: <153163436082.14053.4634519662883889872.launchpad@ackee.canonical.com> Message-ID: <153172701377.23486.13337548631514220492.codereview@soybean.canonical.com> > (I don't think Python 2 library docs will not be removed even if their URL will be changed) I'm sorry, I did't intend double negation, this was intended "(I don't think Python 2 library docs will be removed soon, even if their URL will be changed)" I'll stand by your choice even if it is not merging this or fixing only 404 link in ca po file by pointing http://docs.python.org/library/re.html for maintenance reasons, etc. Any way, as it have been clear where and how to modify if we will want to fix these URLs, it is also easy to fix them later. -- https://code.launchpad.net/~futatuki/mailman/python-doc-url/+merge/349626 Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1. From noreply at launchpad.net Tue Jul 17 02:07:48 2018 From: noreply at launchpad.net (noreply at launchpad.net) Date: Tue, 17 Jul 2018 06:07:48 -0000 Subject: [Merge] lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1 In-Reply-To: <153163436082.14053.4634519662883889872.launchpad@ackee.canonical.com> Message-ID: <153180766562.14817.15194481087368883930.launchpad@ackee.canonical.com> The proposal to merge lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1 has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~futatuki/mailman/python-doc-url/+merge/349626 -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/python-doc-url into lp:mailman/2.1. From futatuki at poem.co.jp Thu Jul 19 03:58:27 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Thu, 19 Jul 2018 07:58:27 -0000 Subject: [Merge] lp:~futatuki/mailman/2.1-ja-translation into lp:mailman/2.1 Message-ID: <153198710174.11578.8877663101732135229.launchpad@ackee.canonical.com> Yasuhito FUTATSUKI at POEM has proposed merging lp:~futatuki/mailman/2.1-ja-translation into lp:mailman/2.1. Commit message: Update ja translation Requested reviews: Mailman Coders (mailman-coders) For more details, see: https://code.launchpad.net/~futatuki/mailman/2.1-ja-translation/+merge/349853 Update ja translation including * fix missed one '"' (double quote character) in HTML attribute. * revise some translation message * translate untranslated messages * unify comma and full stop character in Japanese context into U+3001 (toten as comma) and U+3002 (kuten as full stop). (cf. https://en.wikipedia.org/wiki/Japanese_punctuation#Japanese_punctuation_marks) -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/2.1-ja-translation into lp:mailman/2.1. -------------- next part -------------- A non-text attachment was scrubbed... Name: review-diff.txt Type: text/x-diff Size: 374350 bytes Desc: not available URL: From noreply at launchpad.net Thu Jul 19 12:39:58 2018 From: noreply at launchpad.net (noreply at launchpad.net) Date: Thu, 19 Jul 2018 16:39:58 -0000 Subject: [Merge] lp:~futatuki/mailman/2.1-ja-translation into lp:mailman/2.1 In-Reply-To: <153198710174.11578.8877663101732135229.launchpad@ackee.canonical.com> Message-ID: <153201839622.14834.13450799113067558126.launchpad@ackee.canonical.com> The proposal to merge lp:~futatuki/mailman/2.1-ja-translation into lp:mailman/2.1 has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~futatuki/mailman/2.1-ja-translation/+merge/349853 -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/2.1-ja-translation into lp:mailman/2.1. From mark at msapiro.net Mon Jul 23 10:04:16 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 23 Jul 2018 14:04:16 -0000 Subject: [Bug 1780874] Re: Arbitrary text injection vulnerability in Mailman CGIs References: <153117817368.30346.7961140519157314478.malonedeb@chaenomeles.canonical.com> Message-ID: <153235465655.12476.16902220632928554107.launchpad@gac.canonical.com> ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13796 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1780874 Title: Arbitrary text injection vulnerability in Mailman CGIs To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1780874/+subscriptions From 1780874 at bugs.launchpad.net Mon Jul 23 10:13:18 2018 From: 1780874 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Mon, 23 Jul 2018 14:13:18 -0000 Subject: [Bug 1780874] Re: Arbitrary text injection vulnerability in Mailman CGIs References: <153117817368.30346.7961140519157314478.malonedeb@chaenomeles.canonical.com> Message-ID: <153235520103.15266.2657130712357029067.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1780874 Title: Arbitrary text injection vulnerability in Mailman CGIs To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1780874/+subscriptions From mark at msapiro.net Mon Jul 23 10:24:33 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 23 Jul 2018 14:24:33 -0000 Subject: [Bug 1780874] Re: Arbitrary text injection vulnerability in Mailman CGIs References: <153117817368.30346.7961140519157314478.malonedeb@chaenomeles.canonical.com> Message-ID: <153235587368.32021.3559255333028308596.malone@chaenomeles.canonical.com> This patch mitigates the content spoofing vulnerability by truncating long list names. ** Patch added: "Patch to fix this issue" https://bugs.launchpad.net/mailman/+bug/1780874/+attachment/5166712/+files/1780874.patch ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1780874 Title: Arbitrary text injection vulnerability in Mailman CGIs To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1780874/+subscriptions From mark at msapiro.net Mon Jul 23 11:06:44 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 23 Jul 2018 15:06:44 -0000 Subject: [Bug 1780874] Re: Arbitrary text injection vulnerability in Mailman CGIs References: <153117817368.30346.7961140519157314478.malonedeb@chaenomeles.canonical.com> Message-ID: <153235840555.23210.10763053373831335430.launchpad@soybean.canonical.com> ** Changed in: mailman Status: In Progress => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1780874 Title: Arbitrary text injection vulnerability in Mailman CGIs To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1780874/+subscriptions From mark at msapiro.net Mon Jul 23 11:07:00 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 23 Jul 2018 15:07:00 -0000 Subject: [Bug 1779774] Re: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. References: <153057044510.29762.1368577406966995463.malonedeb@wampee.canonical.com> Message-ID: <153235842145.2531.16532583815072731413.launchpad@wampee.canonical.com> ** Changed in: mailman Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779774 Title: The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature doesn't work. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779774/+subscriptions From mark at msapiro.net Mon Jul 23 11:06:28 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 23 Jul 2018 15:06:28 -0000 Subject: [Bug 1779445] Re: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character References: <153035253794.18526.5905648585348856237.malonedeb@chaenomeles.canonical.com> Message-ID: <153235838935.2249.4098201498679937721.launchpad@wampee.canonical.com> ** Changed in: mailman Status: In Progress => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1779445 Title: edithtml.py saves en templates using html entity reference with raw iso-8859-1 character To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1779445/+subscriptions From mark at msapiro.net Mon Jul 23 11:10:21 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 23 Jul 2018 15:10:21 -0000 Subject: [Bug 1731604] Re: VERP fails if the recipient address local part is quoted. References: <151038163229.934.12641910175503585284.malonedeb@chaenomeles.canonical.com> Message-ID: <153235862237.11887.3003938887499340034.launchpad@gac.canonical.com> ** Changed in: mailman Milestone: 2.1.28 => 2.1.29 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1731604 Title: VERP fails if the recipient address local part is quoted. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1731604/+subscriptions From mark at msapiro.net Mon Jul 23 15:17:09 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 23 Jul 2018 19:17:09 -0000 Subject: [Bug 1780874] Re: Arbitrary text injection vulnerability in Mailman CGIs References: <153117817368.30346.7961140519157314478.malonedeb@chaenomeles.canonical.com> Message-ID: <153237342958.12122.1158207868123510654.launchpad@gac.canonical.com> ** Description changed: A URL with a very long text listname such as http://www.example.com/mailman/listinfo/This_is_a_long_string_with_some_phishing_text will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site. + + This issue was discovered by Hammad Qureshi + . -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1780874 Title: Arbitrary text injection vulnerability in Mailman CGIs To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1780874/+subscriptions From mark at msapiro.net Tue Jul 24 17:47:44 2018 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 24 Jul 2018 21:47:44 -0000 Subject: [Bug 1783417] [NEW] The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages Message-ID: <153246886513.12398.1223704739059529568.malonedeb@gac.canonical.com> Public bug reported: Mailman 2.1 29 will be released today to fix this. ** Affects: mailman Importance: Critical Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix Mailman 2.1.28" https://bugs.launchpad.net/bugs/1783417/+attachment/5167323/+files/fix_2.1.28.patch -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783417 Title: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783417/+subscriptions From 1783417 at bugs.launchpad.net Tue Jul 24 17:57:12 2018 From: 1783417 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Tue, 24 Jul 2018 21:57:12 -0000 Subject: [Bug 1783417] Re: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages References: <153246886513.12398.1223704739059529568.malonedeb@gac.canonical.com> Message-ID: <153246943669.15263.14097617076645998370.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783417 Title: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783417/+subscriptions From mark at msapiro.net Tue Jul 24 18:11:22 2018 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 24 Jul 2018 22:11:22 -0000 Subject: [Bug 1783417] Re: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages References: <153246886513.12398.1223704739059529568.malonedeb@gac.canonical.com> Message-ID: <153247028331.23486.9320116404374840142.launchpad@soybean.canonical.com> ** Changed in: mailman Status: In Progress => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783417 Title: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783417/+subscriptions From mark at msapiro.net Tue Jul 24 18:11:43 2018 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 24 Jul 2018 22:11:43 -0000 Subject: [Bug 1731604] Re: VERP fails if the recipient address local part is quoted. References: <151038163229.934.12641910175503585284.malonedeb@chaenomeles.canonical.com> Message-ID: <153247030431.2335.3821516006939856858.launchpad@wampee.canonical.com> ** Changed in: mailman Milestone: 2.1.29 => 2.1.30 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1731604 Title: VERP fails if the recipient address local part is quoted. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1731604/+subscriptions From mark at msapiro.net Tue Jul 24 18:44:08 2018 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 24 Jul 2018 22:44:08 -0000 Subject: [Bug 1780874] Re: Arbitrary text injection vulnerability in Mailman CGIs References: <153117817368.30346.7961140519157314478.malonedeb@chaenomeles.canonical.com> Message-ID: <153247224846.3109.993344150219622640.malone@wampee.canonical.com> The prior patch was wrong. It has been removed. This patch is good. ** Patch removed: "Patch to fix this issue" https://bugs.launchpad.net/mailman/+bug/1780874/+attachment/5166712/+files/1780874.patch ** Attachment added: "Updated patch to fix this issue" https://bugs.launchpad.net/mailman/+bug/1780874/+attachment/5167324/+files/patch.txt -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1780874 Title: Arbitrary text injection vulnerability in Mailman CGIs To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1780874/+subscriptions From jimpop at domainmail.org Tue Jul 24 18:07:27 2018 From: jimpop at domainmail.org (Jim Popovitch) Date: Tue, 24 Jul 2018 22:07:27 -0000 Subject: [Bug 1783417] Re: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages References: <153246886513.12398.1223704739059529568.malonedeb@gac.canonical.com> Message-ID: <153247004727.32215.9544809326163864431.malone@chaenomeles.canonical.com> Breaks those pages in what way? -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783417 Title: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783417/+subscriptions From mark at msapiro.net Tue Jul 24 20:29:08 2018 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 25 Jul 2018 00:29:08 -0000 Subject: [Bug 1783417] Re: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages References: <153246886513.12398.1223704739059529568.malonedeb@gac.canonical.com> Message-ID: <153247854828.12398.11241981790804043150.malone@gac.canonical.com> Going to https://www.example.com/mailman/listinfo/ or https://www.example.com/mailman/admin/ without a listname gives the "We hit a bug" response. Actually I think any of the MM cgi's would do that, but listinfo and admin are the only ones that don't require a listname to work. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783417 Title: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783417/+subscriptions From jimpop at domainmail.org Tue Jul 24 20:55:06 2018 From: jimpop at domainmail.org (Jim Popovitch) Date: Wed, 25 Jul 2018 00:55:06 -0000 Subject: [Bug 1783417] Re: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages References: <153246886513.12398.1223704739059529568.malonedeb@gac.canonical.com> Message-ID: <153248010644.22948.5726753405557913244.malone@soybean.canonical.com> Ahh, thank you clarifying. I have redirects to specific lists, so I never saw that. It doesn't get said enough, Thank you Mark for your excellent dedication and support. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783417 Title: The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783417/+subscriptions From Ralf.Hildebrandt at charite.de Wed Jul 25 03:52:01 2018 From: Ralf.Hildebrandt at charite.de (Ralf Hildebrandt) Date: Wed, 25 Jul 2018 07:52:01 -0000 Subject: [Bug 1783500] [NEW] listinfo page broken after upgrade to 2.1.28 Message-ID: <153250512199.31596.10562399596459970744.malonedeb@chaenomeles.canonical.com> Public bug reported: Jul 25 09:47:04 2018 admin(5452): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ admin(5452): [----- Mailman Version: 2.1.28 -----] admin(5452): [----- Traceback ------] admin(5452): Traceback (most recent call last): admin(5452): File "/home/mailman/scripts/driver", line 117, in run_main admin(5452): main() admin(5452): File "/home/mailman/Mailman/Cgi/listinfo.py", line 42, in main admin(5452): parts = Utils.GetPathPieces() admin(5452): File "/home/mailman/Mailman/Utils.py", line 300, in GetPathPieces admin(5452): if len(pieces[0]) > longest: admin(5452): IndexError: list index out of range admin(5452): [----- Python Information -----] admin(5452): sys.version = 2.7.15rc1 (default, Apr 15 2018, 21:51:34) [GCC 7.3.0] admin(5452): sys.executable = /usr/bin/python admin(5452): sys.prefix = /usr admin(5452): sys.exec_prefix = /usr admin(5452): sys.path = ['/home/mailman/pythonlib', '/home/mailman', '/home/mailman/scripts', '/home/mailman', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-i386-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/usr/lib/python2.7/site-packages', '/usr/lib/python2.7/dist-packages'] admin(5452): sys.platform = linux2 admin(5452): [----- Environment Variables -----] admin(5452): HTTPS: on admin(5452): SERVER_NAME: mailman.charite.de admin(5452): REMOTE_ADDR: 10.32.38.213 admin(5452): PYTHONPATH: /home/mailman admin(5452): REMOTE_PORT: 56065 admin(5452): REQUEST_SCHEME: https admin(5452): SCRIPT_NAME: /mailman/listinfo admin(5452): REQUEST_METHOD: GET admin(5452): HTTP_HOST: mailman.charite.de admin(5452): PATH_INFO: / admin(5452): SERVER_PORT: 443 admin(5452): SERVER_PROTOCOL: HTTP/1.1 admin(5452): QUERY_STRING: admin(5452): REQUEST_URI: /mailman/listinfo/ admin(5452): DOCUMENT_ROOT: /home/mailman ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783500 Title: listinfo page broken after upgrade to 2.1.28 To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783500/+subscriptions From Ralf.Hildebrandt at charite.de Wed Jul 25 04:11:01 2018 From: Ralf.Hildebrandt at charite.de (Ralf Hildebrandt) Date: Wed, 25 Jul 2018 08:11:01 -0000 Subject: [Bug 1783500] Re: listinfo page broken after upgrade to 2.1.28 References: <153250512199.31596.10562399596459970744.malonedeb@chaenomeles.canonical.com> Message-ID: <153250626194.23327.1166871729669177455.malone@soybean.canonical.com> Fixed in 2.1.29, sorry for the noise! ** Changed in: mailman Status: New => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783500 Title: listinfo page broken after upgrade to 2.1.28 To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783500/+subscriptions From mark at msapiro.net Wed Jul 25 11:31:53 2018 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 25 Jul 2018 15:31:53 -0000 Subject: [Bug 1783500] Re: listinfo page broken after upgrade to 2.1.28 References: <153250512199.31596.10562399596459970744.malonedeb@chaenomeles.canonical.com> Message-ID: <153253271393.11813.3701293730784592207.launchpad@gac.canonical.com> *** This bug is a duplicate of bug 1783417 *** https://bugs.launchpad.net/bugs/1783417 ** This bug has been marked a duplicate of bug 1783417 The fix for https://bugs.launchpad.net/mailman/+bug/1780874 breaks admin and listinfo overview pages -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1783500 Title: listinfo page broken after upgrade to 2.1.28 To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1783500/+subscriptions