Bug 745012

Summary: default httpd config for Mailman offers directory listings for lists with disabled but public archives
Product: Red Hat Enterprise Linux 5 Reporter: Ulrik Haugen <ulrik.haugen>
Component: mailmanAssignee: Jan Kaluža <jkaluza>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.7   
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 745409 (view as bug list) Environment:
Last Closed: 2013-03-11 08:43:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 745409, 745411    

Description Ulrik Haugen 2011-10-11 07:36:46 UTC 
Description of problem:

If you ask Mailman to not archive a list but fail to ask it to keep the (disabled) archives private the attachments sent to that list will be placed in a public archive.

This problem is made worse by the default httpd config included in the rpm which turns on directory listings for the public archives:

    ...
    <Directory /var/lib/mailman/archives/public>
        Options Indexes MultiViews FollowSymLinks
    ...


Mailman maintains an index of all messages that belong in the archive including links to their attachments so it would make a lot more sense to disable Options Indexes for /var/lib/mailman/archives/public.


Version-Release number of selected component (if applicable):

mailman-2.1.9-6.el5_6.1



How reproducible:

Always.


Steps to Reproduce:

* Create a test list with settings:
archive = 0
archive_private = 0

* Send a message to the list with an attachment.

* Go to: http://SITE.ADDRESS/pipermail/TEST-LIST/attachments/ [^]

* Follow the directory listings to your attachment.

 
Actual results:

Attachment for unarchived list can be found by guessing a constant directory component and then following the directory indexes.


Expected results:

Nothing is archived for unarchived list.


Additional info:

% yum info mailman
Loaded plugins: fastestmirror
base 3566/3566
rpmforge 10775/10775
unit 38/38
unit-extras 3/3
Excluding Packages from RHEL 5 - RPMforge.net - dag
Finished
Installed Packages
Name : mailman
Arch : x86_64
Epoch : 3
Version : 2.1.9
Release : 6.el5_6.1
Size : 34 M
Repo : installed
Summary : Mailing list manager with built in Web access.
URL : http://www.list.org/ [^]
License : GPL
Description: Mailman is software to help manage email discussion lists, much
           : like Majordomo and Smartmail. Unlike most similar products, Mailman
           : gives each mailing list a webpage, and allows users to subscribe,
           : unsubscribe, etc. over the Web. Even the list manager can
           : administer his or her list entirely from the Web. Mailman also
           : integrates most things people want to do with mailing lists,
           : including archiving, mail <-> news gateways, and so on.
           :
           : Documentation can be found in: /usr/share/doc/mailman-2.1.9
           :
           : When the package has finished installing, you will need to perform
           : some additional installation steps, these are described in:
           : /usr/share/doc/mailman-2.1.9/INSTALL.REDHAT


I've already submitted this as Centos bug 0005123 but they referred to upstream.
http://bugs.centos.org/view.php?id=5123
Comment 1 Jan Kaluža 2011-10-11 09:13:30 UTC 
So is it only about disabling indexes in httpd conf, or mailman stores private attachments in public directory for you?
Comment 2 Ulrik Haugen 2011-10-11 11:01:08 UTC 
I've intended for this bug to be about disabling indexes in httpd.conf as it exposes this problem and is not suggested in the Mailman installation documentation.

The root cause of the problem is of course that Mailman stores these attachments in the archive when archiving is disabled so no list admin will think about marking the archive private, but it seems a bigger issue and just disabling the indexes will be a big help.

There is already a bug in the vicinity of the root cause in Mailmans bug tracker:
https://bugs.launchpad.net/mailman/+bug/266317
Comment 6 Jan Kaluža 2013-03-11 08:43:46 UTC 
I am sorry, but it is now too late in the RHEL-5 release cycle.
RHEL-5.10 (the next RHEL-5 minor release) is going to be the first
production phase 2 [1] release of RHEL-5. Since phase 2 we'll be
addressing only security and critical issues.
This issue has RHEL6 clone (Bug 745409) and should be fixed in RHEL6 row, therefore I'm closing it as WONTFIX in RHEL5.

[1] https://access.redhat.com/support/policy/updates/errata/