[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1809: Strip leading/trailing spaces from login email for private and options login.

Wed, 06 Mar 2019 09:52:00 -0800 

------------------------------------------------------------
revno: 1809
fixes bug: https://launchpad.net/bugs/1818872
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Wed 2019-03-06 09:48:32 -0800
message:
  Strip leading/trailing spaces from login email for private and options login.
modified:
  Mailman/Cgi/options.py
  Mailman/Cgi/private.py
  NEWS


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2018-12-30 17:40:15 +0000
+++ Mailman/Cgi/options.py	2019-03-06 17:48:32 +0000
@@ -144,7 +144,7 @@
     doc.set_language(language)
 
     if lenparts < 2:
-        user = cgidata.getfirst('email')
+        user = cgidata.getfirst('email', '').strip()
         if not user:
             # If we're coming from the listinfo page and we left the email
             # address field blank, it's not an error.  Likewise if we're
@@ -161,11 +161,12 @@
     # If a user submits a form or URL with post data or query fragments
     # with multiple occurrences of the same variable, we can get a list
     # here.  Be as careful as possible.
+    # This is no longer required because of getfirst() above, but leave it.
     if isinstance(user, list) or isinstance(user, tuple):
         if len(user) == 0:
             user = ''
         else:
-            user = user[-1]
+            user = user[-1].strip()
 
     # Avoid cross-site scripting attacks
     safeuser = Utils.websafe(user)

=== modified file 'Mailman/Cgi/private.py'
--- Mailman/Cgi/private.py	2018-06-17 23:47:34 +0000
+++ Mailman/Cgi/private.py	2019-03-06 17:48:32 +0000
@@ -119,7 +119,7 @@
 
     cgidata = cgi.FieldStorage()
     try:
-        username = cgidata.getfirst('username', '')
+        username = cgidata.getfirst('username', '').strip()
     except TypeError:
         # Someone crafted a POST with a bad Content-Type:.
         doc.AddItem(Header(2, _("Error")))

=== modified file 'NEWS'
--- NEWS	2019-03-02 02:34:46 +0000
+++ NEWS	2019-03-06 17:48:32 +0000
@@ -38,6 +38,9 @@
     - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All.
       (LP: #1818205)
 
+    - Leading/trailing spaces in provided email addresses for login to private
+      archives and the user options page are now ignored.  (LP: #1818872)
+
 2.1.29 (24-Jul-2018)
 
   Bug Fixes


_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to