aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2018-06-03 16:52:44 -0700
committerMark Sapiro <mark@msapiro.net>2018-06-03 16:52:44 -0700
commiteef7927345dd7a93c5290c9f0a3805e517e3f453 (patch)
tree24570cf42d660043e5812d3fe404dedf691eea04
parentd1bbecfd795d3fb615dad0171a0a19c21d9937a9 (diff)
parentf1e9440ad3e4babcdc9999f572f7b4d7929130b1 (diff)
downloadmailman2-eef7927345dd7a93c5290c9f0a3805e517e3f453.tar.gz
mailman2-eef7927345dd7a93c5290c9f0a3805e517e3f453.tar.xz
mailman2-eef7927345dd7a93c5290c9f0a3805e517e3f453.zip
Modified SUBSCRIBE_FORM_SECRET hash generation.
-rw-r--r--Mailman/Cgi/listinfo.py6
-rwxr-xr-xMailman/Cgi/subscribe.py6
-rw-r--r--NEWS5
3 files changed, 11 insertions, 6 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index 78fda942..b55c263d 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -218,9 +218,9 @@ def list_listinfo(mlist, lang):
remote = remote.rsplit(':', 1)[0]
replacements['<mm-subscribe-form-start>'] += (
'<input type="hidden" name="sub_form_token" value="%s:%s">\n'
- % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
- now +
- mlist.internal_name() +
+ % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+ now + ":" +
+ mlist.internal_name() + ":" +
remote
).hexdigest()
)
diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py
index aefce493..b6527a2a 100755
--- a/Mailman/Cgi/subscribe.py
+++ b/Mailman/Cgi/subscribe.py
@@ -173,9 +173,9 @@ def process_form(mlist, doc, cgidata, lang):
except ValueError:
ftime = fhash = ''
then = 0
- token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
- ftime +
- mlist.internal_name() +
+ token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+ ftime + ":" +
+ mlist.internal_name() + ":" +
remote1).hexdigest()
if ftime and now - then > mm_cfg.FORM_LIFETIME:
results.append(_('The form is too old. Please GET it again.'))
diff --git a/NEWS b/NEWS
index b89ad032..5ceffc63 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,11 @@ Here is a history of user visible changes to Mailman.
- A few more error messages have had their values HTML escaped.
+ - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
+ the same as one generated at the same time for a different list and
+ IP address. While this is not thought to be exploitable in any way,
+ the generation has been changed to avoid this. Thanks to Ralf Jung.
+
New Features
- An option has been added to bin/add_members to issue invitations