2.1] Rev 1759: Modified SUBSCRIBE_FORM_SECRET hash generation.

noreply Sun, 03 Jun 2018 18:29:13 -0700

Merge authors:
  Ralf Jung <p...@ralfj.de>
Related merge proposals:
  https://code.launchpad.net/~ralfjung-e/mailman/csrf-injective/+merge/347340
  proposed by: Ralf Jung (ralfjung-e)
  review: Approve - Mark Sapiro (msapiro)
------------------------------------------------------------
revno: 1759 [merge]
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Sun 2018-06-03 16:52:44 -0700
message:
  Modified SUBSCRIBE_FORM_SECRET hash generation.
modified:
  Mailman/Cgi/listinfo.py
  Mailman/Cgi/subscribe.py
  NEWS



--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py	2018-05-26 16:22:35 +0000
+++ Mailman/Cgi/listinfo.py	2018-06-03 20:19:49 +0000
@@ -218,9 +218,9 @@
             remote = remote.rsplit(':', 1)[0]
         replacements['<mm-subscribe-form-start>'] += (
                 '<input type="hidden" name="sub_form_token" value="%s:%s">\n'
-                % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
-                          now +
-                          mlist.internal_name() +
+                % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+                          now + ":" +
+                          mlist.internal_name() + ":" +
                           remote
                           ).hexdigest()
                     )

=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py	2018-04-11 09:36:40 +0000
+++ Mailman/Cgi/subscribe.py	2018-06-03 20:19:49 +0000
@@ -173,9 +173,9 @@
         except ValueError:
             ftime = fhash = ''
             then = 0
-        token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
-                              ftime +
-                              mlist.internal_name() +
+        token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+                              ftime + ":" +
+                              mlist.internal_name() + ":" +
                               remote1).hexdigest()
         if ftime and now - then > mm_cfg.FORM_LIFETIME:
             results.append(_('The form is too old.  Please GET it again.'))

=== modified file 'NEWS'
--- NEWS	2018-05-26 19:12:01 +0000
+++ NEWS	2018-06-03 23:52:44 +0000
@@ -14,6 +14,11 @@
 
     - A few more error messages have had their values HTML escaped.
 
+    - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
+      the same as one generated at the same time for a different list and
+      IP address.  While this is not thought to be exploitable in any way,
+      the generation has been changed to avoid this.  Thanks to Ralf Jung.
+
   New Features
 
     - An option has been added to bin/add_members to issue invitations

_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1759: Modified SUBSCRIBE_FORM_SECRET hash generation.

Reply via email to