diff options
| author | Mark Sapiro <mark@msapiro.net> | 2019-03-06 09:48:32 -0800 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2019-03-06 09:48:32 -0800 |
| commit | ccc55497603d5079bd2f95045f42a26a351811c6 (patch) | |
| tree | 8361138af8c7e94cd473736ffdc48beed3a0b68f | |
| parent | ae069ea19ddc31cb1ce9fa48f6b305ee6cdb4266 (diff) | |
| download | mailman2-ccc55497603d5079bd2f95045f42a26a351811c6.tar.gz mailman2-ccc55497603d5079bd2f95045f42a26a351811c6.tar.xz mailman2-ccc55497603d5079bd2f95045f42a26a351811c6.zip | |
Strip leading/trailing spaces from login email for private and options login.
| -rw-r--r-- | Mailman/Cgi/options.py | 5 | ||||
| -rw-r--r-- | Mailman/Cgi/private.py | 2 | ||||
| -rw-r--r-- | NEWS | 3 |
3 files changed, 7 insertions, 3 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 3a3b7841..641ec134 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -144,7 +144,7 @@ def main(): doc.set_language(language) if lenparts < 2: - user = cgidata.getfirst('email') + user = cgidata.getfirst('email', '').strip() if not user: # If we're coming from the listinfo page and we left the email # address field blank, it's not an error. Likewise if we're @@ -161,11 +161,12 @@ def main(): # If a user submits a form or URL with post data or query fragments # with multiple occurrences of the same variable, we can get a list # here. Be as careful as possible. + # This is no longer required because of getfirst() above, but leave it. if isinstance(user, list) or isinstance(user, tuple): if len(user) == 0: user = '' else: - user = user[-1] + user = user[-1].strip() # Avoid cross-site scripting attacks safeuser = Utils.websafe(user) diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py index 7112c6c4..731e2d19 100644 --- a/Mailman/Cgi/private.py +++ b/Mailman/Cgi/private.py @@ -119,7 +119,7 @@ def main(): cgidata = cgi.FieldStorage() try: - username = cgidata.getfirst('username', '') + username = cgidata.getfirst('username', '').strip() except TypeError: # Someone crafted a POST with a bad Content-Type:. doc.AddItem(Header(2, _("Error"))) @@ -38,6 +38,9 @@ Here is a history of user visible changes to Mailman. - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All. (LP: #1818205) + - Leading/trailing spaces in provided email addresses for login to private + archives and the user options page are now ignored. (LP: #1818872) + 2.1.29 (24-Jul-2018) Bug Fixes |