Some forms in list admin interfaces use absolute links in form action

If you want to use https, you need to set DEFAULT_URL_PATTERN to an https scheme in mm_cfg.py, e.g.

DEFAULT_URL_PATTERN = 'https://%s/mailman/'

and then run fix_url to update the web_page_url attribute of your lists. See the FAQ at <http://wiki.list.org/x/7oA9>.

Nice to have such a prompt answer.

I'd like to support both http and https, and use some http server magic to redirect admin urls to https. If those form action urls were relative, it would just work and I can't think of any reason for not using relative links whenever possible.

Still think it's an invalid request?

I see your point, but I wonder why you would want to allow http for, e.g., the data in the listinfo subscribe form. I.e., why not just access all of Mailman's web UI via https and use server redirect to redirect all http URLs?

As a matter of fact, that's how my configuration is right now. All http traffic gets redirected to https.

I'd like to support a better solution in which ssl would be used only when needed. That would result in better caching at web proxies on ISPs and companies and woudn't prevent intrusion detection and prevention systems from working.

This kind of behavior will probably come by default in mailman 3. In the meantime, I guess it should require only small changes on the code to generate relative urls instead of absolute, and if it's as easy as I think it is then it would be a nice improvement in mailman 2. :)

On 02/13/2014 03:12 PM, Vitor Choi Feitosa wrote:
>
> I'd like to support a better solution in which ssl would be used only
> when needed. That would result in better caching at web proxies on ISPs
> and companies and woudn't prevent intrusion detection and prevention
> systems from working.

But exactly which pages would you not secure? You are concerned about
the admin Membership List, so aren't you also concerned about the list
roster, the private archives and user options login, the user options
page with the capability to change password, the listinfo subscribe form
and possibly others. What's left to not secure.

> This kind of behavior will probably come by default in mailman 3. In
> the meantime, I guess it should require only small changes on the code
> to generate relative urls instead of absolute, and if it's as easy as I
> think it is then it would be a nice improvement in mailman 2. :)

The code currently has a flag for requesting an absolute URL. Some URLs
are requested as absolute and others not. I've only been working with
Mailman for about 9 years and I don't know the reasons why some URLs are
requested absolute, so I would have to examine each case to determine
the unintended consequences of making the URL relative. This is only a
trivial change in the code, but a lot of work to examine possible
consequences in each case.

If you wanted to try it in your installation, you could change all
occurrences of 'absolute=1' to 'absolute=0' in Mailmna/Cgi/*.py.

--
Mark Sapiro <email address hidden> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

I'll do that, thanks for the tip!

I have following problem:
The list's host_name is
example.org
but the mailman pages (list-info, admin interface, archive) are located at http://www.example.com/mailman/ , example.com is the provider.
The .htaccess for example.org contains:

# without www -> with www
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^/(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

# mailman
RewriteRule /mailman/(.*)$ http://www.example.com/mailman/$1 [R=301,NC,L]

But still I'm not able to use the forms where the action URLs are absolute! I can't see why it could be problematic to have relative URLs by default.
For example: At the moment the members can't access the private archive. This is annoying.

I just learned that the POST data is lost with a 301 redirect. You can use a 307 redirect but the user will get a warning about the redirection: https://programmers.stackexchange.com/a/99966

It looks to me like your Mailman is not correctly configured. See the FAQ at <http://wiki.list.org/x/4030592>.

If your configuration is correct, any absolute form action URLs will not need redirection.