diff options
| author | Jim Popovitch <jimpop@gmail.com> | 2013-11-17 01:56:29 +0000 |
|---|---|---|
| committer | Jim Popovitch <jimpop@gmail.com> | 2013-11-17 01:56:29 +0000 |
| commit | 06d15b0a9949652f696d19903cef2a235ff3a428 (patch) | |
| tree | 55a9c12de799cc056da986aafe3b8e66d0cbf94b /Mailman/CSRFcheck.py | |
| parent | bc05ad4e81bd2ce9ec0f36e5112eadf607a49195 (diff) | |
| parent | ded18dda2b2f9ba00f8780b4eba6c398c5bff838 (diff) | |
| download | mailman2-06d15b0a9949652f696d19903cef2a235ff3a428.tar.gz mailman2-06d15b0a9949652f696d19903cef2a235ff3a428.tar.xz mailman2-06d15b0a9949652f696d19903cef2a235ff3a428.zip | |
Upstream changes
Diffstat (limited to 'Mailman/CSRFcheck.py')
| -rw-r--r-- | Mailman/CSRFcheck.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py index a3b6885a..d531ffc2 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -1,4 +1,4 @@ -# Copyright (C) 2011-2012 by the Free Software Foundation, Inc. +# Copyright (C) 2011-2013 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -55,8 +55,9 @@ def csrf_check(mlist, token): try: issued, keymac = marshal.loads(binascii.unhexlify(token)) key, received_mac = keymac.split(':', 1) - klist, key = key.split('+', 1) - assert klist == mlist.internal_name() + if not key.startswith(mlist.internal_name() + '+'): + return False + key = key[len(mlist.internal_name()) + 1:] if '+' in key: key, user = key.split('+', 1) else: |