Web subscribe can fail in cases of load balancers or other devices.

Bug #1447445 reported by Mark Sapiro
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Mark Sapiro

Bug Description

The fix for (LP: #1082746) implemented a SUBSCRIBE_FORM_SECRET feature. If this is enabled by a site, the subscribe form on the listinfo page contains a hidden input field which includes a hash of various data including the IP address that the GET of the listinfo came from. Upon submission of the form, this hash is recomputed using the IP address that the POST of the form came from, and if the hashes don't match, the subscribe fails.

This can cause legitimate subscribes to fail if the user is connected via a load balancer or other device which submits http(s) requests using a possibly different IP for each request.

Related branches

Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
milestone: 2.1.21 → 2.1.21rc1
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers