Why is this Postorius API public?
![](https://secure.gravatar.com/avatar/d94b292ee5c92094ac8f8119d56a45ee.jpg?s=120&d=mm&r=g)
Hello
I've just noticed that Postorius API is publicly accessible from the outside to an unauthenticated user, for example:
https://HOST/postorius/api/templates/list/LISTNAME.VHOST/list:member:regular...
Is this what is expected? Or a misconfiguration? How to fix this?
This is GNU Mailman 3.1.
Thanks!
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 3/10/22 12:49, Stanisław Findeisen via Mailman-users wrote:
Hello
I've just noticed that Postorius API is publicly accessible from the outside to an unauthenticated user, for example:
https://HOST/postorius/api/templates/list/LISTNAME.VHOST/list:member:regular...
Is this what is expected? Or a misconfiguration? How to fix this?
It is expected. That API only serves Postorius configured email templates. Do you think that is sensitive information?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Mark Sapiro
-
Stanisław Findeisen