diff options
author | Mark Sapiro <mark@msapiro.net> | 2021-11-21 20:31:11 -0800 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2021-11-21 20:31:11 -0800 |
commit | 4fe8740ec232a59edd0fde6087bd7b014b17f5ef (patch) | |
tree | 3d67e68f9c8568fead6a5671cba7c8113b6278e9 | |
parent | 021c86bed55dc1424576a894d84b3ec3c65736ba (diff) | |
download | mailman2-4fe8740ec232a59edd0fde6087bd7b014b17f5ef.tar.gz mailman2-4fe8740ec232a59edd0fde6087bd7b014b17f5ef.tar.xz mailman2-4fe8740ec232a59edd0fde6087bd7b014b17f5ef.zip |
Avoid NotAMemberError in CSRF check from user options page.
-rw-r--r-- | Mailman/Cgi/options.py | 22 | ||||
-rw-r--r-- | NEWS | 7 |
2 files changed, 18 insertions, 11 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 3db0a172..af6e3add 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -156,17 +156,6 @@ def main(): else: user = user[-1].strip() - # Avoid cross-site scripting attacks - if set(params) - set(safe_params): - csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), - Utils.UnobscureEmail(urllib.unquote(user))) - else: - csrf_checked = True - # if password is present, void cookie to force password authentication. - if cgidata.getfirst('password'): - os.environ['HTTP_COOKIE'] = '' - csrf_checked = True - safeuser = Utils.websafe(user) try: Utils.ValidateEmail(user) @@ -183,6 +172,17 @@ def main(): print doc.Format() return + # Avoid cross-site scripting attacks + if set(params) - set(safe_params): + csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), + Utils.UnobscureEmail(urllib.unquote(user))) + else: + csrf_checked = True + # if password is present, void cookie to force password authentication. + if cgidata.getfirst('password'): + os.environ['HTTP_COOKIE'] = '' + csrf_checked = True + # Find the case preserved email address (the one the user subscribed with) lcuser = user.lower() try: @@ -5,6 +5,13 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc. Here is a history of user visible changes to Mailman. +2.1.38 (xx-xxx-xxxx) + + Bug Fixes and other patches + + - NotAMemberError exception from the user options page when the user has + been asynchronously unsubscribed is fixed. (LP: #1951769) + 2.1.37 (12-Nov-2021) Bug Fixes and other patches |