Everyone,
A security vulnerability was reported against Postorius recently which
allows any logged-in user to unsubscribe any other member on any other
list on same Mailman installation using a specially crafted POST request
due to a missing ownership check. This has been assigned CVE-2021-40347.
This affects all past versions of Postorius including 1.0.0.
Thanks to Kunal Mehta for the security report and a quick patch to fix
the vulnerability.
I am also attaching a minimal patch that fixes it along with this email,
without tests and NEWS so that it applies to older versions of Postorius
easily (I have tested the included patch with 1.3.3, 1.3.2 git tags).
Upgrading to 1.3.5 release is highly recommended and it mostly includes
the fix for this vulnerability (and a small compatibility fix for
django-mailman3 1.3.6) so it shouldn’t introduce any other bugs.
You can upgrade to this release by running:
$ pip install postorius==1.3.5
A full change log is available here[1] as usual and can be downloaded
from PyPI[2].
[1]:
https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-5
[2]: https://pypi.org/project/postorius/1.3.5/
Since there aren't many changes, this release requires 3.5+ like 1.3.4.
Although, note that the next release will drop support for 3.5 and will
support 3.6 only.
For those of you who use container images, I am working on 0.3.12 of
container images right now, so look out for that announcement. For those
of you using the rolling releases, you can already upgrade to the latest
version of the rolling release as it has the fix.
--
thanks,
Abhilash Raj (maxking)
diff --git a/src/postorius/views/list.py b/src/postorius/views/list.py
index 37d7ff6b..cd4967b9 100644
--- a/src/postorius/views/list.py
+++ b/src/postorius/views/list.py
@@ -502,6 +502,15 @@ class ListUnsubscribeView(MailingListView):
@method_decorator(login_required)
def post(self, request, *args, **kwargs):
email = request.POST['email']
+ # Verify the user actually controls this email, should
+ # return 1 if the user owns the email, 0 otherwise.
+ found_email = EmailAddress.objects.filter(
+ user=request.user, email=email, verified=True).count()
+ if found_email == 0:
+ messages.error(
+ request,
+ _('You can only unsubscribe yourself.'))
+ return redirect('list_summary', self.mailing_list.list_id)
try:
self.mailing_list.unsubscribe(email)
messages.success(request, _('%s has been unsubscribed'
_______________________________________________
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3
Security Policy: https://wiki.list.org/x/QIA9
