On 12/13/21 10:02 AM, Stephen J. Turnbull wrote:
On the other hand, whether they should be equivalent for CSRF validation is another question. Since the CSRF validation is supposed to be entirely transparent to the user, I would (naively) expect that the strings representing the same address in the request should be identical. We'd need to figure out why the case of the address is changing, and whether that could be an attack.
I have reported this issue at https://bugs.launchpad.net/mailman/+bug/1954694, and I am fixing it. In this case, we are only trying to determine that the user posting the options form is the same user for whom the CSRF token was issued. While Mailman does keep track of case-preserved email addresses for mail delivery, a user is identified by lowercase email so comparing lowercase email is fine.
-- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/[email protected]/ https://mail.python.org/archives/list/[email protected]/
