A security vulnerability was reported against Postorius recently which allows any logged-in user to unsubscribe any other member on any other list on same Mailman installation using a specially crafted POST request due to a missing ownership check. This has been assigned CVE-2021-40347.

This affects all past versions of Postorius including 1.0.0.

Thanks to Kunal Mehta for the security report and a quick patch to fix the vulnerability.

I am also attaching a minimal patch that fixes it along with this email, without tests and NEWS so that it applies to older versions of Postorius easily (I have tested the included patch with 1.3.3, 1.3.2 git tags).

Upgrading to 1.3.5 release is highly recommended and it mostly includes the fix for this vulnerability (and a small compatibility fix for django-mailman3 1.3.6) so it shouldn’t introduce any other bugs.

You can upgrade to this release by running:

    $ pip install postorius==1.3.5

A full change log is available here[1] as usual and can be downloaded from PyPI[2].

[1]: https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-5
[2]: https://pypi.org/project/postorius/1.3.5/

Since there aren't many changes, this release requires 3.5+ like 1.3.4. Although, note that the next release will drop support for 3.5 and will support 3.6 only.

For those of you who use container images, I am working on 0.3.12 of container images right now, so look out for that announcement. For those of you using the rolling releases, you can already upgrade to the latest version of the rolling release as it has the fix.

Abhilash Raj (maxking)
diff --git a/src/postorius/views/list.py b/src/postorius/views/list.py
index 37d7ff6b..cd4967b9 100644
--- a/src/postorius/views/list.py
+++ b/src/postorius/views/list.py
@@ -502,6 +502,15 @@ class ListUnsubscribeView(MailingListView):
     def post(self, request, *args, **kwargs):
         email = request.POST['email']
+        # Verify the user actually controls this email, should
+        # return 1 if the user owns the email, 0 otherwise.
+        found_email = EmailAddress.objects.filter(
+            user=request.user, email=email, verified=True).count()
+        if found_email == 0:
+            messages.error(
+                request,
+                _('You can only unsubscribe yourself.'))
+            return redirect('list_summary', self.mailing_list.list_id)
             messages.success(request, _('%s has been unsubscribed'
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9

Reply via email to