------------------------------------------------------------ revno: 1890 fixes bug: https://launchpad.net/bugs/1968443 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Sat 2022-07-09 17:06:49 -0700 message: Fixed a possible list membership leak via the user options CGI. modified: Mailman/Cgi/options.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py' --- Mailman/Cgi/options.py 2022-02-22 18:10:03 +0000 +++ Mailman/Cgi/options.py 2022-07-10 00:06:49 +0000 @@ -164,12 +164,35 @@ loginpage(mlist, doc, None, language) print doc.Format() return - # Sanity check the user, but only give the "no such member" error when - # using public rosters, otherwise, we'll leak membership information. + # Sanity check the user, but we have to give the appropriate error msg + # to not potentially leak membership info. This is a kludge here. We + # have to check membership here to avoid LP: #1951769, but then we have + # to give the appropriate error to avoid LP: #1968443 + msgc = _('If you are a list member, a confirmation email has been sent.') + msgb = _('You already have a subscription pending confirmation') + msga = _("""If you are a list member, your unsubscription request has been + forwarded to the list administrator for approval.""") + msgd = _("""If you are a list member, + your password has been emailed to you.""") if not mlist.isMember(user): if mlist.private_roster == 0: doc.addError(_('No such member: %(safeuser)s.')) user = None + elif cgidata.has_key('login-unsub'): + syslog('mischief', + 'Unsub attempt of non-member w/ private rosters: %s', + user) + if mlist.unsubscribe_policy: + doc.addError(msga, tag='') + else: + doc.addError(msgc, tag='') + user = None + elif cgidata.has_key('login-remind'): + syslog('mischief', + 'Reminder attempt of non-member w/ private rosters: %s', + user) + doc.addError(msgd, tag='') + user = None loginpage(mlist, doc, user, language) print doc.Format() return @@ -205,10 +228,6 @@ i18n.set_language(userlang) # Are we processing an unsubscription request from the login screen? - msgc = _('If you are a list member, a confirmation email has been sent.') - msgb = _('You already have a subscription pending confirmation') - msga = _("""If you are a list member, your unsubscription request has been - forwarded to the list administrator for approval.""") if cgidata.has_key('login-unsub'): # Because they can't supply a password for unsubscribing, we'll need # to do the confirmation dance. @@ -234,39 +253,20 @@ finally: mlist.Unlock() else: - # Not a member - if mlist.private_roster == 0: - # Public rosters - doc.addError(_('No such member: %(safeuser)s.')) - else: - syslog('mischief', - 'Unsub attempt of non-member w/ private rosters: %s', - user) - if mlist.unsubscribe_policy: - doc.addError(msga, tag='') - else: - doc.addError(msgc, tag='') + # Not a member handled above. + pass loginpage(mlist, doc, user, language) print doc.Format() return # Are we processing a password reminder from the login screen? - msg = _("""If you are a list member, - your password has been emailed to you.""") if cgidata.has_key('login-remind'): if mlist.isMember(user): mlist.MailUserPassword(user) - doc.addError(msg, tag='') + doc.addError(msgd, tag='') else: - # Not a member - if mlist.private_roster == 0: - # Public rosters - doc.addError(_('No such member: %(safeuser)s.')) - else: - syslog('mischief', - 'Reminder attempt of non-member w/ private rosters: %s', - user) - doc.addError(msg, tag='') + # Not a member handled above. + pass loginpage(mlist, doc, user, language) print doc.Format() return === modified file 'NEWS' --- NEWS 2022-03-28 23:55:20 +0000 +++ NEWS 2022-07-10 00:06:49 +0000 @@ -7,6 +7,10 @@ 2.1.40 (xx-xxx-xxxx) + i18n + + - The German translation of `Esperanto` is fixed. (LP: #1966685) + Bug Fixes and other patches - Test for a valid header following a Unix From_ line in bin/cleanarch @@ -14,7 +18,8 @@ - A 500 Internal Server Error when requesting the options page for a non-member address on a list with private rosters is avoided. (LP: #1961762) - - The German translation of Esperanto is fixed. (LP: #1966685) + - A possible list membership leak via the user options CGI is fixed. + (LP: #1968443) 2.1.39 (13-Dec-2021)
_______________________________________________ Mailman-checkins mailing list -- mailman-checkins@python.org To unsubscribe send an email to mailman-checkins-le...@python.org https://mail.python.org/mailman3/lists/mailman-checkins.python.org/ Member address: arch...@jab.org