diff options
author | Mark Sapiro <mark@msapiro.net> | 2021-12-13 10:13:41 -0800 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2021-12-13 10:13:41 -0800 |
commit | 7d7489577f3012195e1d5b49f5bd5a41a0de115a (patch) | |
tree | 772761f130086d034bd3fdf86a94b38c7693aa86 /Mailman/CSRFcheck.py | |
parent | 2d8ebb99b6ce134c92c35502753a5246d4884e1e (diff) | |
download | mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.tar.gz mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.tar.xz mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.zip |
Fix NameError and case sensitivity in CSRF check.
Diffstat (limited to '')
-rw-r--r-- | Mailman/CSRFcheck.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py index 9a0b67fc..1fd8b07d 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -85,11 +85,11 @@ def csrf_check(mlist, token, cgi_user=None): # of the fix for CVE-2021-42096 but it must match the user for # whom the options page is requested. raw_user = UnobscureEmail(urllib.unquote(user)) - if cgi_user and cgi_user != raw_user: + if cgi_user and cgi_user.lower() != raw_user.lower(): syslog('mischief', 'Form for user %s submitted with CSRF token ' 'issued for %s.', - options_user, raw_user) + cgi_user, raw_user) return False context = keydict.get(key) key, secret = mlist.AuthContextInfo(context, user) |