------------------------------------------------------------
revno: 1893
fixes bug: https://launchpad.net/bugs/2017813
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Mon 2023-05-22 12:58:09 -0700
message:
  Improved fix for LP: #2017813.
modified:
  Mailman/Cgi/options.py
  NEWS


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2023-04-26 20:34:45 +0000
+++ Mailman/Cgi/options.py	2023-05-22 19:58:09 +0000
@@ -194,8 +194,8 @@
             doc.addError(msgd, tag='')
             user = None
         # We get here with a non-None user in the case of a non-member with
-        # private rosters.  user should be None in every case.
-        user = None
+        # private rosters.  This creates a possible membership leak, but we
+        # fix that a different way. See LP: #2017813.
         loginpage(mlist, doc, user, language)
         print doc.Format()
         return
@@ -313,7 +313,7 @@
                 syslog('mischief',
                        'Login failure with private rosters: %s from %s',
                        user, remote)
-                user = None
+                # Don't clear user here. See LP: #2017813.
             # give an HTTP 401 for authentication failure
             if mlist.private_roster == 0:
                 # Only add error with public rosters lp: #2015416

=== modified file 'NEWS'
--- NEWS	2023-04-26 20:34:45 +0000
+++ NEWS	2023-05-22 19:58:09 +0000
@@ -23,7 +23,7 @@
     - Another possible list membership leak via the user options CGI is fixed.
       (LP: #2015416)
     - Yet another possible list membership leak via the user options CGI is
-      fixed.  (LP:#2017813)
+      fixed.  (LP: #2017813)
 
 2.1.39 (13-Dec-2021)
 

_______________________________________________
Mailman-checkins mailing list -- mailman-checkins@python.org
To unsubscribe send an email to mailman-checkins-le...@python.org
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: arch...@jab.org

Reply via email to