Comment 0 for bug 1429366

Revision history for this message
Ankush Sharma (black-perl) wrote :

The hash(#) is a valid character as far as the local part of the email addresses is concerned. So, as the mailing list addresses are email addresses too, we can use # in the list names too. And, in context with mailman it works well. We can create a list with list_id sam#hashed.host.org for the address sam#<email address hidden> . This works fine. But it makes the list_id to contain the hash character and therefore the REST endpoint for retrieving list wise info becomes invalid, i.e :

<api-root>/lists/sam#hashed.host.org

Because in an URL the stuff after # is treated as document starting point i.e an id identifier or something of a dom element. This is not a valid PATH for the server. Therefore the falcon wsgi request object does not contain information of that and the req.path simply returns sam as the list_id ( http://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/rest/wsgiapp.py#L65 ) giving a 404 because there is no any list with list id sam.
The mailman client works fine, it sends a GET to <api-root>lists/sam#hashed.host.org.

This causes the REST end points which needs list_id to return 404 or in worse we can have a list_id clash between ids sam#XXXXX and sam. Further more if the list_id starts with a # character then the server finds list_id to be empty string and therefore we get a KEY ERROR because fqdn_listname is not set too. The bug highly effects postorius too. The lists index template at /postorius/lists/ cannot be rendered as it uses the former REST endpoint and again a 404 is given. And, until we delete this list from the database, we cann't do anything except of getting a 404 and KEY ERROR each time.
As far as security is concerned, if an another user created a public list using a hash character, then public list indexing would also fail.