------------------------------------------------------------
revno: 1893
fixes bug: https://launchpad.net/bugs/2017813
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Mon 2023-05-22 12:58:09 -0700
message:
Improved fix for LP: #2017813.
modified:
Mailman/Cgi/options.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py 2023-04-26 20:34:45 +0000
+++ Mailman/Cgi/options.py 2023-05-22 19:58:09 +0000
@@ -194,8 +194,8 @@
doc.addError(msgd, tag='')
user = None
# We get here with a non-None user in the case of a non-member with
- # private rosters. user should be None in every case.
- user = None
+ # private rosters. This creates a possible membership leak, but we
+ # fix that a different way. See LP: #2017813.
loginpage(mlist, doc, user, language)
print doc.Format()
return
@@ -313,7 +313,7 @@
syslog('mischief',
'Login failure with private rosters: %s from %s',
user, remote)
- user = None
+ # Don't clear user here. See LP: #2017813.
# give an HTTP 401 for authentication failure
if mlist.private_roster == 0:
# Only add error with public rosters lp: #2015416
=== modified file 'NEWS'
--- NEWS 2023-04-26 20:34:45 +0000
+++ NEWS 2023-05-22 19:58:09 +0000
@@ -23,7 +23,7 @@
- Another possible list membership leak via the user options CGI is fixed.
(LP: #2015416)
- Yet another possible list membership leak via the user options CGI is
- fixed. (LP:#2017813)
+ fixed. (LP: #2017813)
2.1.39 (13-Dec-2021)
_______________________________________________
Mailman-checkins mailing list -- mailman-checkins@python.org
To unsubscribe send an email to mailman-checkins-le...@python.org
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: arch...@jab.org
