aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2019-03-06 09:48:32 -0800
committerMark Sapiro <mark@msapiro.net>2019-03-06 09:48:32 -0800
commitccc55497603d5079bd2f95045f42a26a351811c6 (patch)
tree8361138af8c7e94cd473736ffdc48beed3a0b68f
parentae069ea19ddc31cb1ce9fa48f6b305ee6cdb4266 (diff)
downloadmailman2-ccc55497603d5079bd2f95045f42a26a351811c6.tar.gz
mailman2-ccc55497603d5079bd2f95045f42a26a351811c6.tar.xz
mailman2-ccc55497603d5079bd2f95045f42a26a351811c6.zip
Strip leading/trailing spaces from login email for private and options login.
-rw-r--r--Mailman/Cgi/options.py5
-rw-r--r--Mailman/Cgi/private.py2
-rw-r--r--NEWS3
3 files changed, 7 insertions, 3 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 3a3b7841..641ec134 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -144,7 +144,7 @@ def main():
doc.set_language(language)
if lenparts < 2:
- user = cgidata.getfirst('email')
+ user = cgidata.getfirst('email', '').strip()
if not user:
# If we're coming from the listinfo page and we left the email
# address field blank, it's not an error. Likewise if we're
@@ -161,11 +161,12 @@ def main():
# If a user submits a form or URL with post data or query fragments
# with multiple occurrences of the same variable, we can get a list
# here. Be as careful as possible.
+ # This is no longer required because of getfirst() above, but leave it.
if isinstance(user, list) or isinstance(user, tuple):
if len(user) == 0:
user = ''
else:
- user = user[-1]
+ user = user[-1].strip()
# Avoid cross-site scripting attacks
safeuser = Utils.websafe(user)
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 7112c6c4..731e2d19 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -119,7 +119,7 @@ def main():
cgidata = cgi.FieldStorage()
try:
- username = cgidata.getfirst('username', '')
+ username = cgidata.getfirst('username', '').strip()
except TypeError:
# Someone crafted a POST with a bad Content-Type:.
doc.AddItem(Header(2, _("Error")))
diff --git a/NEWS b/NEWS
index 85b15ff2..29b0be7a 100644
--- a/NEWS
+++ b/NEWS
@@ -38,6 +38,9 @@ Here is a history of user visible changes to Mailman.
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All.
(LP: #1818205)
+ - Leading/trailing spaces in provided email addresses for login to private
+ archives and the user options page are now ignored. (LP: #1818872)
+
2.1.29 (24-Jul-2018)
Bug Fixes