diff options
| author | Mark Sapiro <mark@msapiro.net> | 2013-06-13 17:48:43 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2013-06-13 17:48:43 -0700 |
| commit | 3c41c584c3bd587e0d38ab48ba63a47ead2b18e3 (patch) | |
| tree | 460de9d65231e24bdeb8ca3c19d75a5b07b225fe | |
| parent | 34d5cbf83819f464d365ec7ecb731f94771bf446 (diff) | |
| download | mailman2-3c41c584c3bd587e0d38ab48ba63a47ead2b18e3.tar.gz mailman2-3c41c584c3bd587e0d38ab48ba63a47ead2b18e3.tar.xz mailman2-3c41c584c3bd587e0d38ab48ba63a47ead2b18e3.zip | |
- Fixed a bug causing the admin web interface to fail CSRF checking if
the list name contains a '+' character. (LP: #1190802)
| -rw-r--r-- | Mailman/CSRFcheck.py | 7 | ||||
| -rwxr-xr-x | NEWS | 3 |
2 files changed, 7 insertions, 3 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py index a3b6885a..d531ffc2 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -1,4 +1,4 @@ -# Copyright (C) 2011-2012 by the Free Software Foundation, Inc. +# Copyright (C) 2011-2013 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -55,8 +55,9 @@ def csrf_check(mlist, token): try: issued, keymac = marshal.loads(binascii.unhexlify(token)) key, received_mac = keymac.split(':', 1) - klist, key = key.split('+', 1) - assert klist == mlist.internal_name() + if not key.startswith(mlist.internal_name() + '+'): + return False + key = key[len(mlist.internal_name()) + 1:] if '+' in key: key, user = key.split('+', 1) else: @@ -61,6 +61,9 @@ Here is a history of user visible changes to Mailman. Bug Fixes and other patches + - Fixed a bug causing the admin web interface to fail CSRF checking if + the list name contains a '+' character. (LP: #1190802) + - Fixed bin/mailmanctl -s to not remove the master lock if it can't be determined to be truly stale. (LP: #1189558) |