------------------------------------------------------------ revno: 1891 fixes bug: https://launchpad.net/bugs/2015416 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Wed 2023-04-05 16:46:40 -0700 message: Fixed another possible list membership leak via the user options CGI. modified: Mailman/Cgi/options.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py' --- Mailman/Cgi/options.py 2022-07-10 00:06:49 +0000 +++ Mailman/Cgi/options.py 2023-04-05 23:46:40 +0000 @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2023 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -294,7 +294,9 @@ # to authenticate via cgi (instead of cookie), then print an error # message. if cgidata.has_key('password'): - doc.addError(_('Authentication failed.')) + if mlist.private_roster == 0: + # Only add error with public rosters lp: #2015416 + doc.addError(_('Authentication failed.')) remote = os.environ.get('HTTP_FORWARDED_FOR', os.environ.get('HTTP_X_FORWARDED_FOR', os.environ.get('REMOTE_ADDR', @@ -310,7 +312,9 @@ user, remote) user = None # give an HTTP 401 for authentication failure - print 'Status: 401 Unauthorized' + if mlist.private_roster == 0: + # Only add error with public rosters lp: #2015416 + print 'Status: 401 Unauthorized' loginpage(mlist, doc, user, language) print doc.Format() return === modified file 'NEWS' --- NEWS 2022-07-10 00:06:49 +0000 +++ NEWS 2023-04-05 23:46:40 +0000 @@ -20,6 +20,8 @@ (LP: #1961762) - A possible list membership leak via the user options CGI is fixed. (LP: #1968443) + - Another possible list membership leak via the user options CGI is fixed. + (LP: #2015416) 2.1.39 (13-Dec-2021)
_______________________________________________ Mailman-checkins mailing list -- mailman-checkins@python.org To unsubscribe send an email to mailman-checkins-le...@python.org https://mail.python.org/mailman3/lists/mailman-checkins.python.org/ Member address: arch...@jab.org