2.1] Rev 1891: Fixed another possible list membership leak via the user options CGI.

noreply Wed, 05 Apr 2023 16:49:33 -0700

------------------------------------------------------------
revno: 1891
fixes bug: https://launchpad.net/bugs/2015416
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Wed 2023-04-05 16:46:40 -0700
message:
  Fixed another possible list membership leak via the user options CGI.
modified:
  Mailman/Cgi/options.py
  NEWS



--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2022-07-10 00:06:49 +0000
+++ Mailman/Cgi/options.py	2023-04-05 23:46:40 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2023 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -294,7 +294,9 @@
         # to authenticate via cgi (instead of cookie), then print an error
         # message.
         if cgidata.has_key('password'):
-            doc.addError(_('Authentication failed.'))
+            if mlist.private_roster == 0:
+                # Only add error with public rosters lp: #2015416
+                doc.addError(_('Authentication failed.'))
             remote = os.environ.get('HTTP_FORWARDED_FOR',
                      os.environ.get('HTTP_X_FORWARDED_FOR',
                      os.environ.get('REMOTE_ADDR',
@@ -310,7 +312,9 @@
                        user, remote)
                 user = None
             # give an HTTP 401 for authentication failure
-            print 'Status: 401 Unauthorized'
+            if mlist.private_roster == 0:
+                # Only add error with public rosters lp: #2015416
+                print 'Status: 401 Unauthorized'
         loginpage(mlist, doc, user, language)
         print doc.Format()
         return

=== modified file 'NEWS'
--- NEWS	2022-07-10 00:06:49 +0000
+++ NEWS	2023-04-05 23:46:40 +0000
@@ -20,6 +20,8 @@
       (LP: #1961762)
     - A possible list membership leak via the user options CGI is fixed.
       (LP: #1968443)
+    - Another possible list membership leak via the user options CGI is fixed.
+      (LP: #2015416)
 
 2.1.39 (13-Dec-2021)

_______________________________________________
Mailman-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: [email protected]

[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1891: Fixed another possible list membership leak via the user options CGI.

Reply via email to