Please add multipart/signed to DEFAULT_PASS_MIME_TYPES

Bug #1517446 reported by carloslp
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Low
Mark Sapiro

Bug Description

Mailman tarballs contain a Defaults.py file with this configuration:

DEFAULT_PASS_MIME_TYPES = ['multipart/mixed','multipart/alternative','text/plain']

NOTE: I don't know how this file is generated, I found it on the tarballs but not on the repository

So, when someone enables filtering on a mailing list by mime-type, the default is to filter all emails not matching any of those 3 mime-types.

This list of default mime types allowed misses to include "multipart/signed".

Therefore, this is unfortunately filtering any "multipart/signed" emails.

"multipart/signed" is defined on RFC 3156 <https://tools.ietf.org/html/rfc3156> and is the recommended way of signing mails with GPG. See http://wiki.gnupg.org/SignatureHandling

The proposed change is to modify that default configuration to:

DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain', ]

This default causes trouble to people that signs their mails with GPG. I already had problems due to this default on the Alioth Debian mailing lists and on the WebKit mailing lists because the admin enabled filtering by mime-type and didn't changed the default.

Please, change this default by adding at least 'multipart/signed' to the list of types allowed.

Related branches

Revision history for this message
carloslp (carloslp) wrote :

> The proposed change is to modify that default configuration to:
>
> DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain', ]

I mean:

DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain' ]

Revision history for this message
Mark Sapiro (msapiro) wrote :

The tarballs we distribute do not contain Mailman/Defaults.py. They and the lp:mailman/2.1 branch contain only Mailman/Defaults.py.in. Mailman/Defaults.py is generated by configure by applying various configure options and defaults to Mailman/Defaults.py.in.

Also, in Python,

DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain', ]

and

DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain' ]

(without the last comma) are equivalent.

Now, as far as the actual bug is concerned, I am unsure as to the best default for pass_mime_types. I agree that various multipart subtypes such as multipart/related and multipart/signed should be accepted so their text/plain sub-parts will be accepted. To this end, I think at a minimum we should have

DEFAULT_PASS_MIME_TYPES = ['multipart', 'text/plain']

to accept any text/plain subparts of any multipart type, but this brings up other questions. Namely, should we accept message/rfc822 parts to ultimately accept text/plain parts from attached (forwarded or ?) messages, and if we are accepting multipart/signed, should we also accept the actual signature.

For the former, I think the answer is yes. The latter is more complicated because application/pkcs7-signature parts are binary so in the spirit of only accepting text/plain, perhaps we should only accept application/pgp-signature signature parts. I'm tending towards

DEFAULT_PASS_MIME_TYPES = ['multipart', 'message/rfc822', 'text/plain', 'application/pgp-signature']

but I'm continuing to think about it.

Changed in mailman:
assignee: nobody → Mark Sapiro (msapiro)
importance: Undecided → Low
milestone: none → 2.1.21
status: New → In Progress
Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.