------------------------------------------------------------
revno: 1890
fixes bug: https://launchpad.net/bugs/1968443
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Sat 2022-07-09 17:06:49 -0700
message:
Fixed a possible list membership leak via the user options CGI.
modified:
Mailman/Cgi/options.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py 2022-02-22 18:10:03 +0000
+++ Mailman/Cgi/options.py 2022-07-10 00:06:49 +0000
@@ -164,12 +164,35 @@
loginpage(mlist, doc, None, language)
print doc.Format()
return
- # Sanity check the user, but only give the "no such member" error when
- # using public rosters, otherwise, we'll leak membership information.
+ # Sanity check the user, but we have to give the appropriate error msg
+ # to not potentially leak membership info. This is a kludge here. We
+ # have to check membership here to avoid LP: #1951769, but then we have
+ # to give the appropriate error to avoid LP: #1968443
+ msgc = _('If you are a list member, a confirmation email has been sent.')
+ msgb = _('You already have a subscription pending confirmation')
+ msga = _("""If you are a list member, your unsubscription request has been
+ forwarded to the list administrator for approval.""")
+ msgd = _("""If you are a list member,
+ your password has been emailed to you.""")
if not mlist.isMember(user):
if mlist.private_roster == 0:
doc.addError(_('No such member: %(safeuser)s.'))
user = None
+ elif cgidata.has_key('login-unsub'):
+ syslog('mischief',
+ 'Unsub attempt of non-member w/ private rosters: %s',
+ user)
+ if mlist.unsubscribe_policy:
+ doc.addError(msga, tag='')
+ else:
+ doc.addError(msgc, tag='')
+ user = None
+ elif cgidata.has_key('login-remind'):
+ syslog('mischief',
+ 'Reminder attempt of non-member w/ private rosters: %s',
+ user)
+ doc.addError(msgd, tag='')
+ user = None
loginpage(mlist, doc, user, language)
print doc.Format()
return
@@ -205,10 +228,6 @@
i18n.set_language(userlang)
# Are we processing an unsubscription request from the login screen?
- msgc = _('If you are a list member, a confirmation email has been sent.')
- msgb = _('You already have a subscription pending confirmation')
- msga = _("""If you are a list member, your unsubscription request has been
- forwarded to the list administrator for approval.""")
if cgidata.has_key('login-unsub'):
# Because they can't supply a password for unsubscribing, we'll need
# to do the confirmation dance.
@@ -234,39 +253,20 @@
finally:
mlist.Unlock()
else:
- # Not a member
- if mlist.private_roster == 0:
- # Public rosters
- doc.addError(_('No such member: %(safeuser)s.'))
- else:
- syslog('mischief',
- 'Unsub attempt of non-member w/ private rosters: %s',
- user)
- if mlist.unsubscribe_policy:
- doc.addError(msga, tag='')
- else:
- doc.addError(msgc, tag='')
+ # Not a member handled above.
+ pass
loginpage(mlist, doc, user, language)
print doc.Format()
return
# Are we processing a password reminder from the login screen?
- msg = _("""If you are a list member,
- your password has been emailed to you.""")
if cgidata.has_key('login-remind'):
if mlist.isMember(user):
mlist.MailUserPassword(user)
- doc.addError(msg, tag='')
+ doc.addError(msgd, tag='')
else:
- # Not a member
- if mlist.private_roster == 0:
- # Public rosters
- doc.addError(_('No such member: %(safeuser)s.'))
- else:
- syslog('mischief',
- 'Reminder attempt of non-member w/ private rosters: %s',
- user)
- doc.addError(msg, tag='')
+ # Not a member handled above.
+ pass
loginpage(mlist, doc, user, language)
print doc.Format()
return
=== modified file 'NEWS'
--- NEWS 2022-03-28 23:55:20 +0000
+++ NEWS 2022-07-10 00:06:49 +0000
@@ -7,6 +7,10 @@
2.1.40 (xx-xxx-xxxx)
+ i18n
+
+ - The German translation of `Esperanto` is fixed. (LP: #1966685)
+
Bug Fixes and other patches
- Test for a valid header following a Unix From_ line in bin/cleanarch
@@ -14,7 +18,8 @@
- A 500 Internal Server Error when requesting the options page for a
non-member address on a list with private rosters is avoided.
(LP: #1961762)
- - The German translation of Esperanto is fixed. (LP: #1966685)
+ - A possible list membership leak via the user options CGI is fixed.
+ (LP: #1968443)
2.1.39 (13-Dec-2021)
_______________________________________________
Mailman-checkins mailing list -- mailman-checkins@python.org
To unsubscribe send an email to mailman-checkins-le...@python.org
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: arch...@jab.org
