16 Sep
2019
16 Sep
'19
11:49 p.m.
On 9/16/19 12:45 PM, Marvin Gülker wrote:
Just that I understand this right: Mailman only stores a message by list_id plus message ID? If so, what happens if a malicious user sends a message with an intentionally duplicate message ID to a list? Can a user thereby manipulate the message archive? Mailman should probably reject the message with the duplicate ID.
Mailman will accept the message (assuming it passes other checks), but Hyperkitty won't archive it because of the duplicate Message-ID. Thus, a malicious user can't manipulate the archive in this way.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan