Merge authors:
Ralf Jung <[email protected]>
Related merge proposals:
https://code.launchpad.net/~ralfjung-e/mailman/csrf-injective/+merge/347340
proposed by: Ralf Jung (ralfjung-e)
review: Approve - Mark Sapiro (msapiro)
------------------------------------------------------------
revno: 1759 [merge]
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Sun 2018-06-03 16:52:44 -0700
message:
Modified SUBSCRIBE_FORM_SECRET hash generation.
modified:
Mailman/Cgi/listinfo.py
Mailman/Cgi/subscribe.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py 2018-05-26 16:22:35 +0000
+++ Mailman/Cgi/listinfo.py 2018-06-03 20:19:49 +0000
@@ -218,9 +218,9 @@
remote = remote.rsplit(':', 1)[0]
replacements['<mm-subscribe-form-start>'] += (
'<input type="hidden" name="sub_form_token" value="%s:%s">\n'
- % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
- now +
- mlist.internal_name() +
+ % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+ now + ":" +
+ mlist.internal_name() + ":" +
remote
).hexdigest()
)
=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py 2018-04-11 09:36:40 +0000
+++ Mailman/Cgi/subscribe.py 2018-06-03 20:19:49 +0000
@@ -173,9 +173,9 @@
except ValueError:
ftime = fhash = ''
then = 0
- token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
- ftime +
- mlist.internal_name() +
+ token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+ ftime + ":" +
+ mlist.internal_name() + ":" +
remote1).hexdigest()
if ftime and now - then > mm_cfg.FORM_LIFETIME:
results.append(_('The form is too old. Please GET it again.'))
=== modified file 'NEWS'
--- NEWS 2018-05-26 19:12:01 +0000
+++ NEWS 2018-06-03 23:52:44 +0000
@@ -14,6 +14,11 @@
- A few more error messages have had their values HTML escaped.
+ - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
+ the same as one generated at the same time for a different list and
+ IP address. While this is not thought to be exploitable in any way,
+ the generation has been changed to avoid this. Thanks to Ralf Jung.
+
New Features
- An option has been added to bin/add_members to issue invitations
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
