------------------------------------------------------------ revno: 1880 fixes bug: https://launchpad.net/bugs/1951769 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Sun 2021-11-21 20:31:11 -0800 message: Avoid NotAMemberError in CSRF check from user options page. modified: Mailman/Cgi/options.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py' --- Mailman/Cgi/options.py 2021-11-03 19:02:21 +0000 +++ Mailman/Cgi/options.py 2021-11-22 04:31:11 +0000 @@ -156,17 +156,6 @@ else: user = user[-1].strip() - # Avoid cross-site scripting attacks - if set(params) - set(safe_params): - csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), - Utils.UnobscureEmail(urllib.unquote(user))) - else: - csrf_checked = True - # if password is present, void cookie to force password authentication. - if cgidata.getfirst('password'): - os.environ['HTTP_COOKIE'] = '' - csrf_checked = True - safeuser = Utils.websafe(user) try: Utils.ValidateEmail(user) @@ -183,6 +172,17 @@ print doc.Format() return + # Avoid cross-site scripting attacks + if set(params) - set(safe_params): + csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), + Utils.UnobscureEmail(urllib.unquote(user))) + else: + csrf_checked = True + # if password is present, void cookie to force password authentication. + if cgidata.getfirst('password'): + os.environ['HTTP_COOKIE'] = '' + csrf_checked = True + # Find the case preserved email address (the one the user subscribed with) lcuser = user.lower() try: === modified file 'NEWS' --- NEWS 2021-11-12 23:23:52 +0000 +++ NEWS 2021-11-22 04:31:11 +0000 @@ -5,6 +5,13 @@ Here is a history of user visible changes to Mailman. +2.1.38 (xx-xxx-xxxx) + + Bug Fixes and other patches + + - NotAMemberError exception from the user options page when the user has + been asynchronously unsubscribed is fixed. (LP: #1951769) + 2.1.37 (12-Nov-2021) Bug Fixes and other patches
_______________________________________________ Mailman-checkins mailing list -- mailman-checkins@python.org To unsubscribe send an email to mailman-checkins-le...@python.org https://mail.python.org/mailman3/lists/mailman-checkins.python.org/ Member address: arch...@jab.org