[Tfug] Fw: confirm <YOUR MAGIC NUMBER>

Liz Ravenwood Liz_Ravenwood at beaerospace.com
Fri Aug 24 13:05:43 MST 2012


Don, you're brilliant.

Liz Ravenwood
Programmer/Analyst
Super First Class Products
B/E Aerospace
O: 1.520.239.4808
www.beaerospace.com


-----Original Message-----
From: tfug-bounces at tfug.org [mailto:tfug-bounces at tfug.org] On Behalf Of Bexley Hall
Sent: Friday, August 24, 2012 12:58 PM
To: tfug at tfug.org
Subject: [Tfug] Fw: confirm <YOUR MAGIC NUMBER>

Hi,

There appears to be a (minor) bug in the list's subscription handler.

On submitting a request to subscribe, the subscriber receives a
message of the form:

> From: tfug-request at tfug.org <tfug-request at tfug.org>
> Subject: confirm <YOUR MAGIC NUMBER>
> To: <subscriber>
> Date: ...
> Mailing list subscription confirmation notice for mailing list tfug
>
> We have received a request from <IP address> for subscription of your
> email address, "<subscriber>", to the tfug at tfug.org mailing list.  To
> confirm that you want to be added to this mailing list, simply reply
> to this message, keeping the Subject: header intact.  Or
> visit this web page:
>
>     http://tfug.org/mailman/confirm/tfug_tfug.org/<YOUR MAGIC NUMBER>
>
> Or include the following line -- and only the following line -- in a
> message to tfug-request at tfug.org:
>
>     confirm <YOUR MAGIC NUMBER>
>
> Note that simply sending a `reply' to this message should work from
> most mail readers, since that usually leaves the Subject: line in the
> right form (additional "Re:" text in the Subject: is okay).
>
> If you do not wish to be subscribed to this list, please simply
> disregard this message.  If you think you are being maliciously
> subscribed to the list, or have any other questions, send them to
> tfug-owner at tfug.org.

Note that the final of these three confirmation options *suggests*
that ANY message to tfug-request at tfug.org having the body:

     confirm <YOUR MAGIC NUMBER>

should do the trick.

Unfortunately, there is a tiny caveat -- the code that processes the
confirmation requests appears to fast-track Subject line command
tokens at the expense of commands in the body!

So, a message adhering to the above directions *but* bearing a
subject line that resembles a command verb (e.g., "confirm"!)
will result in an error thrown (if the syntax of the subject
line's "command" is in "error") and the body of the message
ignored.

For example, setting the Subject line to "confirm" (with the
body as required, above) will return the error message:

> From: tfug-owner at tfug.org <tfug-owner at tfug.org>
> Subject: The results of your email commands
> To: <subscriber>
> Date:
> The results of your email command are provided below. Attached is
> your original message.
>
> - Results:
>     Usage:
>
>     confirm <confirmation-string>
>         Confirm an action.  The confirmation-string is required
>         and should be supplied by a mailback confirmation notice.
>
> - Unprocessed:
>     confirm <YOUR MAGIC NUMBER>
>
> - Done.

Without looking at the code, it's hard to guess how many other
subject lines are "forbidden" with this sort of confirmation
attempt (command verbs, reserved words, etc.).

I.e., either "reply" using the subject line provided in the
original confirmation message *or* embed the confirmation
in the body and use a subject line that is guaranteed NOT to
conflict with any reserved words used by the list manager
(which, in most cases, are unknown by potential subscribers
and anyone else who's not examined the code, specifically  :> )

<shrug>

Just FYI.  Might save some noob some consternation in the
future...  (I would NOT suggest folks prodding the list with
such tests as I'm sure Jon won't like having to waste his
time attending to any "successes" that creep through!  :< )

[Or, someone can take a peek at the code -- probably a perl
script? -- and patch accordingly?]

--don


_______________________________________________
Tucson Free Unix Group - tfug at tfug.org
Subscription Options:
http://www.tfug.org/mailman/listinfo/tfug_tfug.org

This email (and all attachments) is for the sole use of the intended recipient(s) and may contain privileged and/or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.





More information about the tfug mailing list