Ralf Jung has proposed merging lp:~ralfjung-e/mailman/csrf-injective into
lp:mailman/2.1.
Commit message:
Separate data in CSRF token by colon to avoid collisions.
Requested reviews:
Mailman Coders (mailman-coders)
For more details, see:
https://code.launchpad.net/~ralfjung-e/mailman/csrf-injective/+merge/347340
This makes the data-to-token function injective. Previously, for example, the
list called "list1" and the IP "10.0.0.0" would have the same hash as the list
called "list" and the IP "110.0.0.0", as the strings were just concatenated.
--
Your team Mailman Coders is requested to review the proposed merge of
lp:~ralfjung-e/mailman/csrf-injective into lp:mailman/2.1.
=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py 2018-05-26 16:22:35 +0000
+++ Mailman/Cgi/listinfo.py 2018-06-03 20:42:57 +0000
@@ -218,9 +218,9 @@
remote = remote.rsplit(':', 1)[0]
replacements['<mm-subscribe-form-start>'] += (
'<input type="hidden" name="sub_form_token" value="%s:%s">\n'
- % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
- now +
- mlist.internal_name() +
+ % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+ now + ":" +
+ mlist.internal_name() + ":" +
remote
).hexdigest()
)
=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py 2018-04-11 09:36:40 +0000
+++ Mailman/Cgi/subscribe.py 2018-06-03 20:42:57 +0000
@@ -173,9 +173,9 @@
except ValueError:
ftime = fhash = ''
then = 0
- token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
- ftime +
- mlist.internal_name() +
+ token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+ ftime + ":" +
+ mlist.internal_name() + ":" +
remote1).hexdigest()
if ftime and now - then > mm_cfg.FORM_LIFETIME:
results.append(_('The form is too old. Please GET it again.'))
_______________________________________________
Mailman-coders mailing list
[email protected]
https://mail.python.org/mailman/listinfo/mailman-coders
