Defend against CGI requests with multiple values for the same parameter.

author: Mark Sapiro <mark@msapiro.net> 2017-06-05 20:48:34 -0700
committer: Mark Sapiro <mark@msapiro.net> 2017-06-05 20:48:34 -0700
commit: 0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12 (patch)
tree: f7743c3b5fc245e214bc94da3266bd16f9d664e2 /Mailman/Cgi/create.py
parent: 845dc52970be426af2a766be4609a8bef2bd1c05 (diff)
download: mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.gz
mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.xz
mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.zip
1 files changed, 17 insertions, 17 deletions
diff --git a/Mailman/Cgi/create.py b/Mailman/Cgi/create.py
index 3c2a7dc4..9421731f 100644
--- a/Mailman/Cgi/create.py
+++ b/Mailman/Cgi/create.py
@@ -44,7 +44,7 @@ def main():
 
     cgidata = cgi.FieldStorage()
     try:
-        cgidata.getvalue('doit', '')
+        cgidata.getfirst('doit', '')
     except TypeError:
         # Someone crafted a POST with a bad Content-Type:.
         doc.AddItem(Header(2, _("Error")))
@@ -85,26 +85,26 @@ def main():
 
 def process_request(doc, cgidata):
     # Lowercase the listname since this is treated as the "internal" name.
-    listname = cgidata.getvalue('listname', '').strip().lower()
-    owner    = cgidata.getvalue('owner', '').strip()
+    listname = cgidata.getfirst('listname', '').strip().lower()
+    owner    = cgidata.getfirst('owner', '').strip()
     try:
-        autogen  = int(cgidata.getvalue('autogen', '0'))
+        autogen  = int(cgidata.getfirst('autogen', '0'))
     except ValueError:
         autogen = 0
     try:
-        notify  = int(cgidata.getvalue('notify', '0'))
+        notify  = int(cgidata.getfirst('notify', '0'))
     except ValueError:
         notify = 0
     try:
-        moderate = int(cgidata.getvalue('moderate',
+        moderate = int(cgidata.getfirst('moderate',
                        mm_cfg.DEFAULT_DEFAULT_MEMBER_MODERATION))
     except ValueError:
         moderate = mm_cfg.DEFAULT_DEFAULT_MEMBER_MODERATION
 
-    password = cgidata.getvalue('password', '').strip()
-    confirm  = cgidata.getvalue('confirm', '').strip()
-    auth     = cgidata.getvalue('auth', '').strip()
-    langs    = cgidata.getvalue('langs', [mm_cfg.DEFAULT_SERVER_LANGUAGE])
+    password = cgidata.getfirst('password', '').strip()
+    confirm  = cgidata.getfirst('confirm', '').strip()
+    auth     = cgidata.getfirst('auth', '').strip()
+    langs    = cgidata.getfirst('langs', [mm_cfg.DEFAULT_SERVER_LANGUAGE])
 
     if not isinstance(langs, ListType):
         langs = [langs]
@@ -342,14 +342,14 @@ def request_creation(doc, cgidata=dummy, errmsg=None):
     ftable.AddRow([Center(Italic(_('List Identity')))])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2)
 
-    listname = cgidata.getvalue('listname', '')
+    listname = cgidata.getfirst('listname', '')
     # MAS: Don't websafe twice.  TextBox does it.
     ftable.AddRow([Label(_('Name of list:')),
                    TextBox('listname', listname)])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
-    owner = cgidata.getvalue('owner', '')
+    owner = cgidata.getfirst('owner', '')
     # MAS: Don't websafe twice.  TextBox does it.
     ftable.AddRow([Label(_('Initial list owner address:')),
                    TextBox('owner', owner)])
@@ -357,7 +357,7 @@ def request_creation(doc, cgidata=dummy, errmsg=None):
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
     try:
-        autogen = int(cgidata.getvalue('autogen', '0'))
+        autogen = int(cgidata.getfirst('autogen', '0'))
     except ValueError:
         autogen = 0
     ftable.AddRow([Label(_('Auto-generate initial list password?')),
@@ -367,24 +367,24 @@ def request_creation(doc, cgidata=dummy, errmsg=None):
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
-    safepasswd = Utils.websafe(cgidata.getvalue('password', ''))
+    safepasswd = Utils.websafe(cgidata.getfirst('password', ''))
     ftable.AddRow([Label(_('Initial list password:')),
                    PasswordBox('password', safepasswd)])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
-    safeconfirm = Utils.websafe(cgidata.getvalue('confirm', ''))
+    safeconfirm = Utils.websafe(cgidata.getfirst('confirm', ''))
     ftable.AddRow([Label(_('Confirm initial password:')),
                    PasswordBox('confirm', safeconfirm)])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
     try:
-        notify = int(cgidata.getvalue('notify', '1'))
+        notify = int(cgidata.getfirst('notify', '1'))
     except ValueError:
         notify = 1
     try:
-        moderate = int(cgidata.getvalue('moderate',
+        moderate = int(cgidata.getfirst('moderate',
                        mm_cfg.DEFAULT_DEFAULT_MEMBER_MODERATION))
     except ValueError:
         moderate = mm_cfg.DEFAULT_DEFAULT_MEMBER_MODERATION
author	Mark Sapiro <mark@msapiro.net>	2017-06-05 20:48:34 -0700
committer	Mark Sapiro <mark@msapiro.net>	2017-06-05 20:48:34 -0700
commit	0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12 (patch)
tree	f7743c3b5fc245e214bc94da3266bd16f9d664e2 /Mailman/Cgi/create.py
parent	845dc52970be426af2a766be4609a8bef2bd1c05 (diff)
download	mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.gz mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.xz mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.zip