------------------------------------------------------------ revno: 1893 fixes bug: https://launchpad.net/bugs/2017813 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Mon 2023-05-22 12:58:09 -0700 message: Improved fix for LP: #2017813. modified: Mailman/Cgi/options.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py' --- Mailman/Cgi/options.py 2023-04-26 20:34:45 +0000 +++ Mailman/Cgi/options.py 2023-05-22 19:58:09 +0000 @@ -194,8 +194,8 @@ doc.addError(msgd, tag='') user = None # We get here with a non-None user in the case of a non-member with - # private rosters. user should be None in every case. - user = None + # private rosters. This creates a possible membership leak, but we + # fix that a different way. See LP: #2017813. loginpage(mlist, doc, user, language) print doc.Format() return @@ -313,7 +313,7 @@ syslog('mischief', 'Login failure with private rosters: %s from %s', user, remote) - user = None + # Don't clear user here. See LP: #2017813. # give an HTTP 401 for authentication failure if mlist.private_roster == 0: # Only add error with public rosters lp: #2015416 === modified file 'NEWS' --- NEWS 2023-04-26 20:34:45 +0000 +++ NEWS 2023-05-22 19:58:09 +0000 @@ -23,7 +23,7 @@ - Another possible list membership leak via the user options CGI is fixed. (LP: #2015416) - Yet another possible list membership leak via the user options CGI is - fixed. (LP:#2017813) + fixed. (LP: #2017813) 2.1.39 (13-Dec-2021)
_______________________________________________ Mailman-checkins mailing list -- mailman-checkins@python.org To unsubscribe send an email to mailman-checkins-le...@python.org https://mail.python.org/mailman3/lists/mailman-checkins.python.org/ Member address: arch...@jab.org