diff options
| author | Mark Sapiro <mark@msapiro.net> | 2021-10-18 16:56:42 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2021-10-18 16:56:42 -0700 |
| commit | 5ea7ee4e955d96177e461b0a1f2c2be04df12ea8 (patch) | |
| tree | ade915f7858d465fa9d837d385b1b4db5704d949 /Mailman/Cgi | |
| parent | e5cc9a25db87802b300834a890d0c5e274deaf6d (diff) | |
| download | mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.tar.gz mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.tar.xz mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.zip | |
Fixes for CVEs 2021-42096 and 2021-42097.
Diffstat (limited to 'Mailman/Cgi')
| -rw-r--r-- | Mailman/Cgi/options.py | 25 |
1 files changed, 12 insertions, 13 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 1037f8f9..60b7d9b6 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -54,9 +54,6 @@ except NameError: True = 1 False = 0 -AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin, - mm_cfg.AuthListModerator, mm_cfg.AuthUser) - def main(): global _ @@ -124,15 +121,6 @@ def main(): print doc.Format() return - if set(params) - set(safe_params): - csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token')) - else: - csrf_checked = True - # if password is present, void cookie to force password authentication. - if cgidata.getfirst('password'): - os.environ['HTTP_COOKIE'] = '' - csrf_checked = True - # Set the language for the page. If we're coming from the listinfo cgi, # we might have a 'language' key in the cgi data. That was an explicit # preference to view the page in, so we should honor that here. If that's @@ -169,6 +157,16 @@ def main(): user = user[-1].strip() # Avoid cross-site scripting attacks + if set(params) - set(safe_params): + csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), + Utils.UnobscureEmail(urllib.unquote(user))) + else: + csrf_checked = True + # if password is present, void cookie to force password authentication. + if cgidata.getfirst('password'): + os.environ['HTTP_COOKIE'] = '' + csrf_checked = True + safeuser = Utils.websafe(user) try: Utils.ValidateEmail(user) @@ -871,8 +869,9 @@ def options_page(mlist, doc, user, cpuser, userlang, message=''): mlist.FormatButton('othersubs', _('List my other subscriptions'))) replacements['<mm-form-start>'] = ( + # Always make the CSRF token for the user. CVE-2021-42096 mlist.FormatFormStart('options', user, mlist=mlist, - contexts=AUTH_CONTEXTS, user=user)) + contexts=[mm_cfg.AuthUser], user=user)) replacements['<mm-user>'] = user replacements['<mm-presentable-user>'] = presentable_user replacements['<mm-email-my-pw>'] = mlist.FormatButton( |