diff options
| author | Mark Sapiro <mark@msapiro.net> | 2017-06-05 20:48:34 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2017-06-05 20:48:34 -0700 |
| commit | 0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12 (patch) | |
| tree | f7743c3b5fc245e214bc94da3266bd16f9d664e2 /Mailman/Cgi/roster.py | |
| parent | 845dc52970be426af2a766be4609a8bef2bd1c05 (diff) | |
| download | mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.gz mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.tar.xz mailman2-0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12.zip | |
Defend against CGI requests with multiple values for the same parameter.
Diffstat (limited to 'Mailman/Cgi/roster.py')
| -rw-r--r-- | Mailman/Cgi/roster.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py index cb6847af..739d4fff 100644 --- a/Mailman/Cgi/roster.py +++ b/Mailman/Cgi/roster.py @@ -64,7 +64,7 @@ def main(): # messages in form should go in selected language (if any...) try: - lang = cgidata.getvalue('language') + lang = cgidata.getfirst('language') except TypeError: # Someone crafted a POST with a bad Content-Type:. doc = Document() @@ -85,8 +85,8 @@ def main(): # "admin"-only, then we try to cookie authenticate the user, and failing # that, we check roster-email and roster-pw fields for a valid password. # (also allowed: the list moderator, the list admin, and the site admin). - password = cgidata.getvalue('roster-pw', '').strip() - addr = cgidata.getvalue('roster-email', '').strip() + password = cgidata.getfirst('roster-pw', '').strip() + addr = cgidata.getfirst('roster-email', '').strip() list_hidden = (not mlist.WebAuthenticate((mm_cfg.AuthUser,), password, addr) and mlist.WebAuthenticate((mm_cfg.AuthListModerator, |