diff options
| author | Mark Sapiro <mark@msapiro.net> | 2013-06-13 17:48:43 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2013-06-13 17:48:43 -0700 |
| commit | 3c41c584c3bd587e0d38ab48ba63a47ead2b18e3 (patch) | |
| tree | 460de9d65231e24bdeb8ca3c19d75a5b07b225fe /Mailman/CSRFcheck.py | |
| parent | 34d5cbf83819f464d365ec7ecb731f94771bf446 (diff) | |
| download | mailman2-3c41c584c3bd587e0d38ab48ba63a47ead2b18e3.tar.gz mailman2-3c41c584c3bd587e0d38ab48ba63a47ead2b18e3.tar.xz mailman2-3c41c584c3bd587e0d38ab48ba63a47ead2b18e3.zip | |
- Fixed a bug causing the admin web interface to fail CSRF checking if
the list name contains a '+' character. (LP: #1190802)
Diffstat (limited to 'Mailman/CSRFcheck.py')
| -rw-r--r-- | Mailman/CSRFcheck.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py index a3b6885a..d531ffc2 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -1,4 +1,4 @@ -# Copyright (C) 2011-2012 by the Free Software Foundation, Inc. +# Copyright (C) 2011-2013 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -55,8 +55,9 @@ def csrf_check(mlist, token): try: issued, keymac = marshal.loads(binascii.unhexlify(token)) key, received_mac = keymac.split(':', 1) - klist, key = key.split('+', 1) - assert klist == mlist.internal_name() + if not key.startswith(mlist.internal_name() + '+'): + return False + key = key[len(mlist.internal_name()) + 1:] if '+' in key: key, user = key.split('+', 1) else: |