GNU Mailman

catch invalid URLs

Bug #266445 reported by Jidanni
2
Affects Status Importance Assigned to Milestone
GNU Mailman
New
Medium
Unassigned
GNU Mailman 2.1-beta

Bug Description

One finds one can use URLs like
http://lists.example.org/admin.cgi/zzz-example.org/zzz/add/vvv/dddd
and still visit the administration pages as if one typed in a correct
URL.

Somewhere in Mailman, something is not checking the URL beyond a
certain length or segment.

You might say "so what?", but if you allow these to work, soon all
kinds of people's typos will end up in documents as being the URL to
use to do various tasks, just because they happened to work that day.

(Yes, the above example does not bypass password checks.)

[http://sourceforge.net/tracker/index.php?func=detail&aid=1879338&group_id=103&atid=100103]

Tags: web-cgi
Revision history for this message
Jidanni (jidanni) wrote :

Originator: YES

http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.057.htp is an
example of a evil looseness.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.