Set a SUBSCRIBE_FORM_SECRET in mm_cfg.py on new installs, to add protection...

Set a SUBSCRIBE_FORM_SECRET in mm_cfg.py on new installs, to add protection against subscription spam in the default installation. Existing installs will not be changed because it might break external subscribe forms (closes: 900648).

debian/changelog

-mailman (1:2.1.27-1) UNRELEASED; urgency=medium
+mailman (1:2.1.27-1) unstable; urgency=medium
 
   * New upstream release.
   * Run dh_autoreconf to make build reproducble (closes: 889637).
@@ -6,6 +6,10 @@ mailman (1:2.1.27-1) UNRELEASED; urgency=medium
   * Drop Debian patches mangling translations, upstream is in
     a much better shape nowadays (closes: 901810).
   * Checked for policy 4.1.4, no changes.
+  * Set a SUBSCRIBE_FORM_SECRET in mm_cfg.py on new installs,
+    to add protection against subscription spam in the default
+    installation. Existing installs will not be changed because
+    it might break external subscribe forms (closes: 900648).
 
  -- Thijs Kinkhorst <thijs@debian.org>  Sat, 23 Jun 2018 13:23:17 +0000
 

debian/mm_cfg.py

@@ -82,6 +82,21 @@ USE_ENVELOPE_SENDER    = 0              # Still used?
 # Unset send_reminders on newly created lists
 DEFAULT_SEND_REMINDERS = 0
 
+# If the following is set to a non-empty string, this string in combination
+# with the time, list name and the IP address of the requestor is used to
+# create a hidden hash as part of the subscribe form on the listinfo page.
+# This hash is checked upon form submission and the subscribe fails if it
+# doesn't match.  I.e. the form posted must be first retrieved from the
+# listinfo CGI by the same IP that posts it.  The subscribe also fails if
+# the time the form was retrieved is more than the above FORM_LIFETIME or less
+# than the below SUBSCRIBE_FORM_MIN_TIME before submission.
+# Important: If you have any static subscribe forms on your web site, setting
+# this option will break them.  With this option set, subscribe forms must be
+# dynamically generated to include the hidden data.  See the code block
+# beginning with "if mm_cfg.SUBSCRIBE_FORM_SECRET:" in Mailman/Cgi/listinfo.py
+# for the details of the hidden data.
+SUBSCRIBE_FORM_SECRET = None
+
 #-------------------------------------------------------------
 # Uncomment this if you configured your MTA such that it
 # automatically recognizes newly created lists.

debian/postinst

@@ -112,9 +112,11 @@ case "$1" in
             DOMAIN=localhost.localdomain
         fi
 	if [ ! -e /etc/$PACKAGE/mm_cfg.py ]; then
+            SUBSCRIBE_SECRET=`perl -le 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..24)'`
 	    printf "Configuring $PACKAGE for domain $DOMAIN ...\n"
-	    sed s/thunderchild.aszi.sztaki.hu/$DOMAIN/g /usr/lib/mailman/Mailman/mm_cfg.py.dist \
-		> /etc/$PACKAGE/mm_cfg.py
+	    sed -e "s/thunderchild.aszi.sztaki.hu/$DOMAIN/g" \
+		-e "s/SUBSCRIBE_FORM_SECRET = None/SUBSCRIBE_FORM_SECRET = '$SUBSCRIBE_SECRET'/" \
+		/usr/lib/mailman/Mailman/mm_cfg.py.dist > /etc/$PACKAGE/mm_cfg.py
 	fi
 
 	if grep -q mm_defaults /etc/mailman/mm_cfg.py; then