------------------------------------------------------------
revno: 1392
fixes bug: https://launchpad.net/bugs/1190802
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Thu 2013-06-13 17:48:43 -0700
message:
- Fixed a bug causing the admin web interface to fail CSRF checking if
the list name contains a '+' character. (LP: #1190802)
modified:
Mailman/CSRFcheck.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/CSRFcheck.py'
--- Mailman/CSRFcheck.py 2012-02-05 21:19:39 +0000
+++ Mailman/CSRFcheck.py 2013-06-14 00:48:43 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2011-2012 by the Free Software Foundation, Inc.
+# Copyright (C) 2011-2013 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -55,8 +55,9 @@
try:
issued, keymac = marshal.loads(binascii.unhexlify(token))
key, received_mac = keymac.split(':', 1)
- klist, key = key.split('+', 1)
- assert klist == mlist.internal_name()
+ if not key.startswith(mlist.internal_name() + '+'):
+ return False
+ key = key[len(mlist.internal_name()) + 1:]
if '+' in key:
key, user = key.split('+', 1)
else:
=== modified file 'NEWS'
--- NEWS 2013-06-10 21:35:21 +0000
+++ NEWS 2013-06-14 00:48:43 +0000
@@ -61,6 +61,9 @@
Bug Fixes and other patches
+ - Fixed a bug causing the admin web interface to fail CSRF checking if
+ the list name contains a '+' character. (LP: #1190802)
+
- Fixed bin/mailmanctl -s to not remove the master lock if it can't be
determined to be truly stale. (LP: #1189558)
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
