Defend against CGI requests with multiple values for the same parameter.

author: Mark Sapiro <mark@msapiro.net> 2017-06-05 20:48:34 -0700
committer: Mark Sapiro <mark@msapiro.net> 2017-06-05 20:48:34 -0700
commit: 0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12 (patch)
tree: f7743c3b5fc245e214bc94da3266bd16f9d664e2 /Mailman/Cgi/private.py
parent: 845dc52970be426af2a766be4609a8bef2bd1c05 (diff)
download: mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.gz
mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.xz
mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 0f7597a2..ce3c6563 100755
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -119,7 +119,7 @@ def main():
 
     cgidata = cgi.FieldStorage()
     try:
-        username = cgidata.getvalue('username', '')
+        username = cgidata.getfirst('username', '')
     except TypeError:
         # Someone crafted a POST with a bad Content-Type:.
         doc.AddItem(Header(2, _("Error")))
@@ -128,7 +128,7 @@ def main():
         print 'Status: 400 Bad Request'
         print doc.Format()
         return
-    password = cgidata.getvalue('password', '')
+    password = cgidata.getfirst('password', '')
 
     is_auth = 0
     realname = mlist.real_name
author	Mark Sapiro <mark@msapiro.net>	2017-06-05 20:48:34 -0700
committer	Mark Sapiro <mark@msapiro.net>	2017-06-05 20:48:34 -0700
commit	0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12 (patch)
tree	f7743c3b5fc245e214bc94da3266bd16f9d664e2 /Mailman/Cgi/private.py
parent	845dc52970be426af2a766be4609a8bef2bd1c05 (diff)
download	mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.gz mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.xz mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.zip