aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2021-11-21 20:31:11 -0800
committerMark Sapiro <mark@msapiro.net>2021-11-21 20:31:11 -0800
commit4fe8740ec232a59edd0fde6087bd7b014b17f5ef (patch)
tree3d67e68f9c8568fead6a5671cba7c8113b6278e9
parent021c86bed55dc1424576a894d84b3ec3c65736ba (diff)
downloadmailman2-4fe8740ec232a59edd0fde6087bd7b014b17f5ef.tar.gz
mailman2-4fe8740ec232a59edd0fde6087bd7b014b17f5ef.tar.xz
mailman2-4fe8740ec232a59edd0fde6087bd7b014b17f5ef.zip
Avoid NotAMemberError in CSRF check from user options page.
-rw-r--r--Mailman/Cgi/options.py22
-rw-r--r--NEWS7
2 files changed, 18 insertions, 11 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 3db0a172..af6e3add 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -156,17 +156,6 @@ def main():
else:
user = user[-1].strip()
- # Avoid cross-site scripting attacks
- if set(params) - set(safe_params):
- csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
- Utils.UnobscureEmail(urllib.unquote(user)))
- else:
- csrf_checked = True
- # if password is present, void cookie to force password authentication.
- if cgidata.getfirst('password'):
- os.environ['HTTP_COOKIE'] = ''
- csrf_checked = True
-
safeuser = Utils.websafe(user)
try:
Utils.ValidateEmail(user)
@@ -183,6 +172,17 @@ def main():
print doc.Format()
return
+ # Avoid cross-site scripting attacks
+ if set(params) - set(safe_params):
+ csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
+ Utils.UnobscureEmail(urllib.unquote(user)))
+ else:
+ csrf_checked = True
+ # if password is present, void cookie to force password authentication.
+ if cgidata.getfirst('password'):
+ os.environ['HTTP_COOKIE'] = ''
+ csrf_checked = True
+
# Find the case preserved email address (the one the user subscribed with)
lcuser = user.lower()
try:
diff --git a/NEWS b/NEWS
index 3ccc4c76..8b874ee2 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,13 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
Here is a history of user visible changes to Mailman.
+2.1.38 (xx-xxx-xxxx)
+
+ Bug Fixes and other patches
+
+ - NotAMemberError exception from the user options page when the user has
+ been asynchronously unsubscribed is fixed. (LP: #1951769)
+
2.1.37 (12-Nov-2021)
Bug Fixes and other patches