aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman/Cgi
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2020-05-07 06:53:40 -0700
committerMark Sapiro <mark@msapiro.net>2020-05-07 06:53:40 -0700
commit80d4f2a79a1e461a9e434062e02239ccc2448749 (patch)
treea62517448a4d7945995f74e9739d0574ba5d7033 /Mailman/Cgi
parentf7ec5a7da93b99d385b353ac6505719834cb764e (diff)
downloadmailman2-80d4f2a79a1e461a9e434062e02239ccc2448749.tar.gz
mailman2-80d4f2a79a1e461a9e434062e02239ccc2448749.tar.xz
mailman2-80d4f2a79a1e461a9e434062e02239ccc2448749.zip
Fixed content injection vulnerability via the private login page.
Diffstat (limited to 'Mailman/Cgi')
-rw-r--r--Mailman/Cgi/private.py10
1 files changed, 3 insertions, 7 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 731e2d19..4b6f2501 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -162,13 +162,9 @@ def main():
if mlist.isMember(username):
mlist.MailUserPassword(username)
elif username:
- # Not a member
- if mlist.private_roster == 0:
- # Public rosters
- safeuser = Utils.websafe(username)
- message = Bold(FontSize('+1',
- _('No such member: %(safeuser)s.'))).Format()
- else:
+ # Not a member. Don't report address in any case. It leads to
+ # Content injection. Just log if roster is not public.
+ if mlist.private_roster != 0:
syslog('mischief',
'Reminder attempt of non-member w/ private rosters: %s',
username)