Mailman-admin writes: > Am 13.12.21 um 12:09 schrieb Sebastian Hagedorn:
> > Nov 24 19:33:24 2021 (117276) Form for user x...@smail.uni-koeln.de > > submitted with CSRF token issued for x...@smail.uni-koeln.de. > > > > The only difference is in the case of the email address. I’m no expert > > on CSRF attacks, but to me it seems as though the comparison should > > perhaps disregard differences in case only? > > As local part of an email address can be case sensitive, This is true, but > this should only be case insensitive for the domain part. this part depends on exactly how these addresses are generated. In fact, the definition of "equivalent" for the local part is entirely up to the site. If the site policy is to make local parts case insensitive, then the addresses are equivalent in that sense. On the other hand, whether they should be equivalent for CSRF validation is another question. Since the CSRF validation is supposed to be entirely transparent to the user, I would (naively) expect that the strings representing the same address in the request should be identical. We'd need to figure out why the case of the address is changing, and whether that could be an attack. Also, some providers equivalent many more local parts. For example, there is the "+" notation separating the real mailbox from an extension token, and IIRC, Google ignores punctuation in local parts. So this is potentially very complicated. Steve ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
