------------------------------------------------------------ revno: 1809 fixes bug: https://launchpad.net/bugs/1818872 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Wed 2019-03-06 09:48:32 -0800 message: Strip leading/trailing spaces from login email for private and options login. modified: Mailman/Cgi/options.py Mailman/Cgi/private.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py' --- Mailman/Cgi/options.py 2018-12-30 17:40:15 +0000 +++ Mailman/Cgi/options.py 2019-03-06 17:48:32 +0000 @@ -144,7 +144,7 @@ doc.set_language(language) if lenparts < 2: - user = cgidata.getfirst('email') + user = cgidata.getfirst('email', '').strip() if not user: # If we're coming from the listinfo page and we left the email # address field blank, it's not an error. Likewise if we're @@ -161,11 +161,12 @@ # If a user submits a form or URL with post data or query fragments # with multiple occurrences of the same variable, we can get a list # here. Be as careful as possible. + # This is no longer required because of getfirst() above, but leave it. if isinstance(user, list) or isinstance(user, tuple): if len(user) == 0: user = '' else: - user = user[-1] + user = user[-1].strip() # Avoid cross-site scripting attacks safeuser = Utils.websafe(user) === modified file 'Mailman/Cgi/private.py' --- Mailman/Cgi/private.py 2018-06-17 23:47:34 +0000 +++ Mailman/Cgi/private.py 2019-03-06 17:48:32 +0000 @@ -119,7 +119,7 @@ cgidata = cgi.FieldStorage() try: - username = cgidata.getfirst('username', '') + username = cgidata.getfirst('username', '').strip() except TypeError: # Someone crafted a POST with a bad Content-Type:. doc.AddItem(Header(2, _("Error"))) === modified file 'NEWS' --- NEWS 2019-03-02 02:34:46 +0000 +++ NEWS 2019-03-06 17:48:32 +0000 @@ -38,6 +38,9 @@ - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All. (LP: #1818205) + - Leading/trailing spaces in provided email addresses for login to private + archives and the user options page are now ignored. (LP: #1818872) + 2.1.29 (24-Jul-2018) Bug Fixes
_______________________________________________ Mailman-checkins mailing list Mailman-checkins@python.org Unsubscribe: https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org