------------------------------------------------------------
revno: 1884
fixes bug: https://launchpad.net/bugs/1954694
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Mon 2021-12-13 10:13:41 -0800
message:
Fix NameError and case sensitivity in CSRF check.
modified:
Mailman/CSRFcheck.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/CSRFcheck.py'
--- Mailman/CSRFcheck.py 2021-11-30 17:50:49 +0000
+++ Mailman/CSRFcheck.py 2021-12-13 18:13:41 +0000
@@ -85,11 +85,11 @@
# of the fix for CVE-2021-42096 but it must match the user for
# whom the options page is requested.
raw_user = UnobscureEmail(urllib.unquote(user))
- if cgi_user and cgi_user != raw_user:
+ if cgi_user and cgi_user.lower() != raw_user.lower():
syslog('mischief',
'Form for user %s submitted with CSRF token '
'issued for %s.',
- options_user, raw_user)
+ cgi_user, raw_user)
return False
context = keydict.get(key)
key, secret = mlist.AuthContextInfo(context, user)
=== modified file 'NEWS'
--- NEWS 2021-11-30 17:50:49 +0000
+++ NEWS 2021-12-13 18:13:41 +0000
@@ -5,6 +5,13 @@
Here is a history of user visible changes to Mailman.
+2.1.39 (xx-xxx-xxxx)
+
+ Bug Fixes and other patches
+
+ - User matching for CSRF tokens is no longer case sensitive., and a
+ potential NamerError in logging is fixed. (LP: #1954694)
+
2.1.38 (30-Nov-2021)
Security
_______________________________________________
Mailman-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: [email protected]
