Mailman allows creating a list with '/' in the name.
The forward slash is a legal character in the local parts of email addresses. However, list names, in addition to being the local part of a list's posting address are also used in various other contexts such as URLs where unexpected slashes are problematic.
When app.lifecyclecreate_list()
creates a list, it should apply a more stringent test than just testing that fqdn_listname
is a valid email address. In particular, that test allows [-0-9a-z!#$%&'*+./=?@_{}~]
plus back tic. I think we should definitely not allow [#%&+/=?]
and possibly more.
See https://gitlab.com/mailman/postorius/issues/139 for more on the consequences.