diff options
author | Mark Sapiro <mark@msapiro.net> | 2018-06-03 16:52:44 -0700 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2018-06-03 16:52:44 -0700 |
commit | eef7927345dd7a93c5290c9f0a3805e517e3f453 (patch) | |
tree | 24570cf42d660043e5812d3fe404dedf691eea04 | |
parent | d1bbecfd795d3fb615dad0171a0a19c21d9937a9 (diff) | |
parent | f1e9440ad3e4babcdc9999f572f7b4d7929130b1 (diff) | |
download | mailman2-eef7927345dd7a93c5290c9f0a3805e517e3f453.tar.gz mailman2-eef7927345dd7a93c5290c9f0a3805e517e3f453.tar.xz mailman2-eef7927345dd7a93c5290c9f0a3805e517e3f453.zip |
Modified SUBSCRIBE_FORM_SECRET hash generation.
-rw-r--r-- | Mailman/Cgi/listinfo.py | 6 | ||||
-rwxr-xr-x | Mailman/Cgi/subscribe.py | 6 | ||||
-rw-r--r-- | NEWS | 5 |
3 files changed, 11 insertions, 6 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index 78fda942..b55c263d 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -218,9 +218,9 @@ def list_listinfo(mlist, lang): remote = remote.rsplit(':', 1)[0] replacements['<mm-subscribe-form-start>'] += ( '<input type="hidden" name="sub_form_token" value="%s:%s">\n' - % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - now + - mlist.internal_name() + + % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + now + ":" + + mlist.internal_name() + ":" + remote ).hexdigest() ) diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index aefce493..b6527a2a 100755 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -173,9 +173,9 @@ def process_form(mlist, doc, cgidata, lang): except ValueError: ftime = fhash = '' then = 0 - token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - ftime + - mlist.internal_name() + + token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + ftime + ":" + + mlist.internal_name() + ":" + remote1).hexdigest() if ftime and now - then > mm_cfg.FORM_LIFETIME: results.append(_('The form is too old. Please GET it again.')) @@ -14,6 +14,11 @@ Here is a history of user visible changes to Mailman. - A few more error messages have had their values HTML escaped. + - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been + the same as one generated at the same time for a different list and + IP address. While this is not thought to be exploitable in any way, + the generation has been changed to avoid this. Thanks to Ralf Jung. + New Features - An option has been added to bin/add_members to issue invitations |