[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1880: Avoid NotAMemberError in CSRF check from user options page.

Sun, 21 Nov 2021 20:50:34 -0800 

------------------------------------------------------------
revno: 1880
fixes bug: https://launchpad.net/bugs/1951769
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Sun 2021-11-21 20:31:11 -0800
message:
  Avoid NotAMemberError in CSRF check from user options page.
modified:
  Mailman/Cgi/options.py
  NEWS


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2021-11-03 19:02:21 +0000
+++ Mailman/Cgi/options.py	2021-11-22 04:31:11 +0000
@@ -156,17 +156,6 @@
         else:
             user = user[-1].strip()
 
-    # Avoid cross-site scripting attacks
-    if set(params) - set(safe_params):
-        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
-                                  Utils.UnobscureEmail(urllib.unquote(user)))
-    else:
-        csrf_checked = True
-    # if password is present, void cookie to force password authentication.
-    if cgidata.getfirst('password'):
-        os.environ['HTTP_COOKIE'] = ''
-        csrf_checked = True
-
     safeuser = Utils.websafe(user)
     try:
         Utils.ValidateEmail(user)
@@ -183,6 +172,17 @@
         print doc.Format()
         return
 
+    # Avoid cross-site scripting attacks
+    if set(params) - set(safe_params):
+        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
+                                  Utils.UnobscureEmail(urllib.unquote(user)))
+    else:
+        csrf_checked = True
+    # if password is present, void cookie to force password authentication.
+    if cgidata.getfirst('password'):
+        os.environ['HTTP_COOKIE'] = ''
+        csrf_checked = True
+
     # Find the case preserved email address (the one the user subscribed with)
     lcuser = user.lower()
     try:

=== modified file 'NEWS'
--- NEWS	2021-11-12 23:23:52 +0000
+++ NEWS	2021-11-22 04:31:11 +0000
@@ -5,6 +5,13 @@
 
 Here is a history of user visible changes to Mailman.
 
+2.1.38 (xx-xxx-xxxx)
+
+  Bug Fixes and other patches
+
+    - NotAMemberError exception from the user options page when the user has
+      been asynchronously unsubscribed is fixed.  (LP: #1951769)
+
 2.1.37 (12-Nov-2021)
 
   Bug Fixes and other patches


_______________________________________________
Mailman-checkins mailing list -- mailman-checkins@python.org
To unsubscribe send an email to mailman-checkins-le...@python.org
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: arch...@jab.org

Reply via email to