Invited user can subscribe to any list (inc private lists)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
High
|
Unassigned |
Bug Description
Currently, the Pending queue maintains no reference to
what mailing list a subscription request is for. This
is encoded in the URL, and isn't a security problem for
subscriptions. However, Invitations are a special sort
of subscription that bypasses the subscription approval
step if the user accepts the invitation. So if a user
munges the URL they are sent from
http://
http://
that link, they are subscribed to the private list with
no notification to anyone.
Simple solution may be to set userdesc.invited to the
listname rather than just '1', and then when checking
for the invited flag make sure that someone is hacking
the system.
[http://
Raising the priority so this must be fixed for 2.1.2