Merge lp:mailman/2.1 up to 1671 (2.1.23)

author: Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp> 2016-08-28 00:30:29 +0900
committer: Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp> 2016-08-28 00:30:29 +0900
commit: 0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f (patch)
tree: e47de4b9704acf1d696eb863f3bcfff7e73a1737 /Mailman/Cgi/admindb.py
parent: a302a27393d816018943cd58e933e17da9398fe7 (diff)
parent: d85ac809ee9d20c0b944082863da9410f7d3e252 (diff)
download: mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.tar.gz
mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.tar.xz
mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.zip
1 files changed, 22 insertions, 2 deletions
diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py
index 1e9fad0f..3c9f4002 100644
--- a/Mailman/Cgi/admindb.py
+++ b/Mailman/Cgi/admindb.py
@@ -39,6 +39,7 @@ from Mailman.ListAdmin import readMessage
 from Mailman.Cgi import Auth
 from Mailman.htmlformat import *
 from Mailman.Logging.Syslog import syslog
+from Mailman.CSRFcheck import csrf_check
 
 EMPTYSTRING = ''
 NL = '\n'
@@ -58,6 +59,9 @@ if mm_cfg.DISPLAY_HELD_SUMMARY_SORT_BUTTONS in (SSENDERTIME, STIME):
 else:
     ssort = SSENDER
 
+AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
+                 mm_cfg.AuthListModerator)
+
 
 
 def helds_by_skey(mlist, ssort=SSENDER):
@@ -135,6 +139,18 @@ def main():
         print doc.Format()
         return
 
+    # CSRF check
+    safe_params = ['adminpw', 'admlogin', 'msgid', 'sender', 'details']
+    params = cgidata.keys()
+    if set(params) - set(safe_params):
+        csrf_checked = csrf_check(mlist, cgidata.getvalue('csrf_token'))
+    else:
+        csrf_checked = True
+    # if password is present, void cookie to force password authentication.
+    if cgidata.getvalue('adminpw'):
+        os.environ['HTTP_COOKIE'] = ''
+        csrf_checked = True
+
     if not mlist.WebAuthenticate((mm_cfg.AuthListAdmin,
                                   mm_cfg.AuthListModerator,
                                   mm_cfg.AuthSiteAdmin),
@@ -212,7 +228,11 @@ def main():
         elif not details:
             # This is a form submission
             doc.SetTitle(_('%(realname)s Administrative Database Results'))
-            process_form(mlist, doc, cgidata)
+            if csrf_checked:
+                process_form(mlist, doc, cgidata)
+            else:
+                doc.addError(
+                    _('The form lifetime has expired. (request forgery check)'))
         # Now print the results and we're done.  Short circuit for when there
         # are no pending requests, but be sure to save the results!
         admindburl = mlist.GetScriptURL('admindb', absolute=1)
@@ -234,7 +254,7 @@ def main():
             mlist.Save()
             return
 
-        form = Form(admindburl)
+        form = Form(admindburl, mlist=mlist, contexts=AUTH_CONTEXTS)
         # Add the instructions template
         if details == 'instructions':
             doc.AddItem(Header(
author	Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp>	2016-08-28 00:30:29 +0900
committer	Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp>	2016-08-28 00:30:29 +0900
commit	0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f (patch)
tree	e47de4b9704acf1d696eb863f3bcfff7e73a1737 /Mailman/Cgi/admindb.py
parent	a302a27393d816018943cd58e933e17da9398fe7 (diff)
parent	d85ac809ee9d20c0b944082863da9410f7d3e252 (diff)
download	mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.tar.gz mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.tar.xz mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.zip