Hi, some our users get the following error message when click on Manage button in Mailing list section:
Error: The form lifetime has expired. (request forgery check)
It started after upgrade to version 6.6. of webmin-virtualmin-mailman and version 19.07 or 19.08 of Authentic theme. I’m using Virtualmin Pro 6.02-2, Webmin 1.872 and Mailman 2.1.18 on Debian 7.
I can’t reproduce the error, I don’t know if the user activity can produce it (timeout, use back button on browser…) or it is a bug. Does anyone know?
I have been able to reproduce it, it occurs after making a login in the admin list interface using the “Manage” button.
Occurs in al forms under “Membership Management …” and its subsections (Membership List, Mass Subscription and Mass Removal), any action gets the error message.
In other sections of the administration of the list I can make changes without problems (General options, Privacy options …).
And when accessing the administration of the list from outside of Virtualmin the problem does not appear. It is only when the administration page of the list is embedded in Virtualmin.
What version of Mailman is installed on your machine? It seems there was some chatter on the Mailman mailing list about a bug found in 2.1.15 surrounding this.
We had the same problem with Ubuntu 14.04 and Mailman 2.16.
The cause is that the form on the member management page (called “members” page in Mailman) is using “multipart/form-data” encoding rather than “application/x-www-form-urlencoded” encoding. This causes the form to be handled improperly (i.e., cgi.FormStorage() does not get decoded into individual fields). In turn, this causes the CSRFCheck to fail, which causes the “forgery” error.
I fixed our installation by changing line 428 in /usr/lib/mailman/Mailman/cgi/admin.py.
Original line 428:
if category in (‘autoreply’, ‘members’):
changed to:
if category == ‘autoreply’:
This change makes the members page use “application/x-www-form-urlencoded” encoding, which fixes the “forgery” error.
“multipart-form-data” encoding is required if the page has any file upload fields. However (on my Mailman at least), the members page does not have any such fields, so “multipart-form-data” is not required.