Merge authors: Ralf Jung <p...@ralfj.de> Related merge proposals: https://code.launchpad.net/~ralfjung-e/mailman/csrf-injective/+merge/347340 proposed by: Ralf Jung (ralfjung-e) review: Approve - Mark Sapiro (msapiro) ------------------------------------------------------------ revno: 1759 [merge] committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Sun 2018-06-03 16:52:44 -0700 message: Modified SUBSCRIBE_FORM_SECRET hash generation. modified: Mailman/Cgi/listinfo.py Mailman/Cgi/subscribe.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/listinfo.py' --- Mailman/Cgi/listinfo.py 2018-05-26 16:22:35 +0000 +++ Mailman/Cgi/listinfo.py 2018-06-03 20:19:49 +0000 @@ -218,9 +218,9 @@ remote = remote.rsplit(':', 1)[0] replacements['<mm-subscribe-form-start>'] += ( '<input type="hidden" name="sub_form_token" value="%s:%s">\n' - % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - now + - mlist.internal_name() + + % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + now + ":" + + mlist.internal_name() + ":" + remote ).hexdigest() ) === modified file 'Mailman/Cgi/subscribe.py' --- Mailman/Cgi/subscribe.py 2018-04-11 09:36:40 +0000 +++ Mailman/Cgi/subscribe.py 2018-06-03 20:19:49 +0000 @@ -173,9 +173,9 @@ except ValueError: ftime = fhash = '' then = 0 - token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - ftime + - mlist.internal_name() + + token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + ftime + ":" + + mlist.internal_name() + ":" + remote1).hexdigest() if ftime and now - then > mm_cfg.FORM_LIFETIME: results.append(_('The form is too old. Please GET it again.')) === modified file 'NEWS' --- NEWS 2018-05-26 19:12:01 +0000 +++ NEWS 2018-06-03 23:52:44 +0000 @@ -14,6 +14,11 @@ - A few more error messages have had their values HTML escaped. + - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been + the same as one generated at the same time for a different list and + IP address. While this is not thought to be exploitable in any way, + the generation has been changed to avoid this. Thanks to Ralf Jung. + New Features - An option has been added to bin/add_members to issue invitations
_______________________________________________ Mailman-checkins mailing list Mailman-checkins@python.org Unsubscribe: https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org