Setting private_roster to list admin only causes subscriptions to break

Bug #1696202 reported by Terri
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Undecided
Mark Sapiro

Bug Description

This is an odd one, seen on https://mail.python.org/

The Pycon Pune list was set up such that private_roster was set to list admin only, whereupon all subscribers got a message "The hidden token didn't match. Did your IP change?" after they entered their email address and were sent to the standard page at https://mail.python.org/mailman/confirm/pycon-pune

I reset the private_roster to "List members" and for some reason, this solved the problem and would-be subscribers get the usual "Your subscription request has been received, and will soon be acted upon." message.

Not sure if this is a mail.python.org specific bug or a mailman 2.1 issue in general, but I figure Mark's equipped to handle either one so filing here is the right choice regardless.

Revision history for this message
Mark Sapiro (msapiro) wrote :
Download full text (3.7 KiB)

I just tried subscribing to <email address hidden> from the page at <https://mail.python.org/mailman/listinfo/mailman-users>. This list has private rosters and the subscription process went completely normally. Upon submitting the form, I was sent to the subscribe results page and all was as expected.

There is in issue with load balancers and perhaps proxies. The IPv4 address that submits the form has to match the address that did the GET of the form. It used to have to match exactly, but because of load balancer issues we've seen it now only has to match the first 3 octets <https://bugs.launchpad.net/bugs/1447445>.

Maybe there is some IP change issue and changing private_roster was just a coincidence.

I've looked at logs and I see

Jun 05 11:15:42 2017 (21148) pycon-pune: pending Anwesha ...
Jun 05 11:25:35 2017 (23837) pycon-pune: pending Kushal ...
Jun 05 20:42:26 2017 (18559) pycon-pune: pending Kushal ...
Jun 06 07:32:48 2017 (9267) pycon-pune: pending Sayan ...
Jun 06 14:13:45 2017 (5012) pycon-pune: pending Terri Test ...

Associated with some of those, I see successful GETs of the listinfo and POSTs of the form. I also see these GETs and posts shortly before the successful Terri Test subscribe.

/var/log/apache2/mail.python.org-ssl_access.log:134.134.139.75 - - [06/Jun/2017:14:06:21 -0400] "GET /mailman/listinfo/pycon-pune HTTP/2.0" 200 2292 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36"
/var/log/apache2/mail.python.org-ssl_access.log:192.55.55.41 - - [06/Jun/2017:14:08:31 -0400] "GET /mailman/listinfo/pycon-pune HTTP/2.0" 200 2291 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36"
/var/log/apache2/mail.python.org-ssl_access.log:134.134.139.75 - - [06/Jun/2017:14:08:42 -0400] "POST /mailman/subscribe/pycon-pune HTTP/2.0" 200 546 "https://mail.python.org/mailman/listinfo/pycon-pune" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36"
/var/log/apache2/mail.python.org-ssl_access.log:134.134.139.75 - - [06/Jun/2017:14:09:15 -0400] "GET /mailman/listinfo/pycon-pune HTTP/2.0" 200 2293 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36"
/var/log/apache2/mail.python.org-ssl_access.log:192.55.55.41 - - [06/Jun/2017:14:09:24 -0400] "POST /mailman/subscribe/pycon-pune HTTP/2.0" 200 546 "https://mail.python.org/mailman/listinfo/pycon-pune" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36"
/var/log/apache2/mail.python.org-ssl_access.log:192.55.55.41 - - [06/Jun/2017:14:12:02 -0400] "GET /mailman/listinfo/pycon-pune HTTP/2.0" 200 2292 "https://mail.python.org/mailman/admin/pycon-pune/digest" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36"
/var/log/apache2/mail.python.org-ssl_access.log:134.134.139.75 - - [06/Jun/2...

Read more...

Revision history for this message
Kushal Das (kushaldas) wrote :

I tried to subscribe again with my id, and I am getting stuck to the same confirmation page. So, maybe it is the load balancer as Mark suggested.

Revision history for this message
Mark Sapiro (msapiro) wrote :

It's not load balancing or the "The hidden token didn't match. Did your IP change?" message that Terri mentions. I think that was affecting her testing, but is not the actual problem that was originally reported.

The issue is that when one gets the initial https://mail.python.org/mailman/confirm/pycon-pune/xxx... page, it succeeds as it should, but somehow clicking "subscribe" Posts the form, but Apache sees a GET rather than a POST so The CGI doesn't see the cookie in the post data.

I don't know how many lists are affected or why, but I've successfully confirmed subscription to two other mail.python.org lists, so I don't think it's a Mailman issue. Rather it seems to be apache or the network.

Revision history for this message
Mark Sapiro (msapiro) wrote :

I'm marking this as invalid because the actual issue wasn't the "The hidden token didn't match. Did your IP change?" issue which I think only appeared in Terri's testing.

The underlying issue was the list was created with URL host = python.org rather than mail.python.org causing all form submissions to redirect and lose POST data. The list is now fixed.

Changed in mailman:
assignee: nobody → Mark Sapiro (msapiro)
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers