------------------------------------------------------------ revno: 1884 fixes bug: https://launchpad.net/bugs/1954694 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Mon 2021-12-13 10:13:41 -0800 message: Fix NameError and case sensitivity in CSRF check. modified: Mailman/CSRFcheck.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/CSRFcheck.py' --- Mailman/CSRFcheck.py 2021-11-30 17:50:49 +0000 +++ Mailman/CSRFcheck.py 2021-12-13 18:13:41 +0000 @@ -85,11 +85,11 @@ # of the fix for CVE-2021-42096 but it must match the user for # whom the options page is requested. raw_user = UnobscureEmail(urllib.unquote(user)) - if cgi_user and cgi_user != raw_user: + if cgi_user and cgi_user.lower() != raw_user.lower(): syslog('mischief', 'Form for user %s submitted with CSRF token ' 'issued for %s.', - options_user, raw_user) + cgi_user, raw_user) return False context = keydict.get(key) key, secret = mlist.AuthContextInfo(context, user) === modified file 'NEWS' --- NEWS 2021-11-30 17:50:49 +0000 +++ NEWS 2021-12-13 18:13:41 +0000 @@ -5,6 +5,13 @@ Here is a history of user visible changes to Mailman. +2.1.39 (xx-xxx-xxxx) + + Bug Fixes and other patches + + - User matching for CSRF tokens is no longer case sensitive., and a + potential NamerError in logging is fixed. (LP: #1954694) + 2.1.38 (30-Nov-2021) Security
_______________________________________________ Mailman-checkins mailing list -- mailman-checkins@python.org To unsubscribe send an email to mailman-checkins-le...@python.org https://mail.python.org/mailman3/lists/mailman-checkins.python.org/ Member address: arch...@jab.org