aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2021-12-13 10:13:41 -0800
committerMark Sapiro <mark@msapiro.net>2021-12-13 10:13:41 -0800
commit7d7489577f3012195e1d5b49f5bd5a41a0de115a (patch)
tree772761f130086d034bd3fdf86a94b38c7693aa86
parent2d8ebb99b6ce134c92c35502753a5246d4884e1e (diff)
downloadmailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.tar.gz
mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.tar.xz
mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.zip
Fix NameError and case sensitivity in CSRF check.
-rw-r--r--Mailman/CSRFcheck.py4
-rw-r--r--NEWS7
2 files changed, 9 insertions, 2 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py
index 9a0b67fc..1fd8b07d 100644
--- a/Mailman/CSRFcheck.py
+++ b/Mailman/CSRFcheck.py
@@ -85,11 +85,11 @@ def csrf_check(mlist, token, cgi_user=None):
# of the fix for CVE-2021-42096 but it must match the user for
# whom the options page is requested.
raw_user = UnobscureEmail(urllib.unquote(user))
- if cgi_user and cgi_user != raw_user:
+ if cgi_user and cgi_user.lower() != raw_user.lower():
syslog('mischief',
'Form for user %s submitted with CSRF token '
'issued for %s.',
- options_user, raw_user)
+ cgi_user, raw_user)
return False
context = keydict.get(key)
key, secret = mlist.AuthContextInfo(context, user)
diff --git a/NEWS b/NEWS
index 6e29cf46..8db9c765 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,13 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
Here is a history of user visible changes to Mailman.
+2.1.39 (xx-xxx-xxxx)
+
+ Bug Fixes and other patches
+
+ - User matching for CSRF tokens is no longer case sensitive., and a
+ potential NamerError in logging is fixed. (LP: #1954694)
+
2.1.38 (30-Nov-2021)
Security