Separate data in CSRF token by colon to avoid collisions.

This makes the data-to-token function injective. Previously, for example, the
list called "list1" and the IP "10.0.0.0" would have the same hash as the list
called "list" and the IP "110.0.0.0", as the strings were just concatenated.

2 files changed, 6 insertions, 6 deletions

diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index 78fda942..b55c263d 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -218,9 +218,9 @@ def list_listinfo(mlist, lang):
             remote = remote.rsplit(':', 1)[0]
         replacements['<mm-subscribe-form-start>'] += (
                 '<input type="hidden" name="sub_form_token" value="%s:%s">\n'
-                % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
-                          now +
-                          mlist.internal_name() +
+                % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+                          now + ":" +
+                          mlist.internal_name() + ":" +
                           remote
                           ).hexdigest()
                     )
diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py
index aefce493..b6527a2a 100755
--- a/Mailman/Cgi/subscribe.py
+++ b/Mailman/Cgi/subscribe.py
@@ -173,9 +173,9 @@ def process_form(mlist, doc, cgidata, lang):
         except ValueError:
             ftime = fhash = ''
             then = 0
-        token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
-                              ftime +
-                              mlist.internal_name() +
+        token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" +
+                              ftime + ":" +
+                              mlist.internal_name() + ":" +
                               remote1).hexdigest()
         if ftime and now - then > mm_cfg.FORM_LIFETIME:
             results.append(_('The form is too old.  Please GET it again.'))