diff options
| author | Ralf Jung <post@ralfj.de> | 2018-06-03 22:19:49 +0200 |
|---|---|---|
| committer | Ralf Jung <post@ralfj.de> | 2018-06-03 22:19:49 +0200 |
| commit | f1e9440ad3e4babcdc9999f572f7b4d7929130b1 (patch) | |
| tree | d358af58a14d0e7f60da750507bc5d1f03207fb9 /Mailman/Cgi/subscribe.py | |
| parent | d1bbecfd795d3fb615dad0171a0a19c21d9937a9 (diff) | |
| download | mailman2-f1e9440ad3e4babcdc9999f572f7b4d7929130b1.tar.gz mailman2-f1e9440ad3e4babcdc9999f572f7b4d7929130b1.tar.xz mailman2-f1e9440ad3e4babcdc9999f572f7b4d7929130b1.zip | |
Separate data in CSRF token by colon to avoid collisions.
This makes the data-to-token function injective. Previously, for example, the
list called "list1" and the IP "10.0.0.0" would have the same hash as the list
called "list" and the IP "110.0.0.0", as the strings were just concatenated.
Diffstat (limited to '')
| -rwxr-xr-x | Mailman/Cgi/subscribe.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index aefce493..b6527a2a 100755 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -173,9 +173,9 @@ def process_form(mlist, doc, cgidata, lang): except ValueError: ftime = fhash = '' then = 0 - token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - ftime + - mlist.internal_name() + + token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + ftime + ":" + + mlist.internal_name() + ":" + remote1).hexdigest() if ftime and now - then > mm_cfg.FORM_LIFETIME: results.append(_('The form is too old. Please GET it again.')) |