Fix NameError and case sensitivity in CSRF check.

author: Mark Sapiro <mark@msapiro.net> 2021-12-13 10:13:41 -0800
committer: Mark Sapiro <mark@msapiro.net> 2021-12-13 10:13:41 -0800
commit: 7d7489577f3012195e1d5b49f5bd5a41a0de115a (patch)
tree: 772761f130086d034bd3fdf86a94b38c7693aa86 /Mailman
parent: 2d8ebb99b6ce134c92c35502753a5246d4884e1e (diff)
download: mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.tar.gz
mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.tar.xz
mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py
index 9a0b67fc..1fd8b07d 100644
--- a/Mailman/CSRFcheck.py
+++ b/Mailman/CSRFcheck.py
@@ -85,11 +85,11 @@ def csrf_check(mlist, token, cgi_user=None):
             # of the fix for CVE-2021-42096 but it must match the user for
             # whom the options page is requested.
             raw_user = UnobscureEmail(urllib.unquote(user))
-            if cgi_user and cgi_user != raw_user:
+            if cgi_user and cgi_user.lower() != raw_user.lower():
                 syslog('mischief',
                        'Form for user %s submitted with CSRF token '
                        'issued for %s.',
-                       options_user, raw_user)
+                       cgi_user, raw_user)
                 return False
         context = keydict.get(key)
         key, secret = mlist.AuthContextInfo(context, user)
author	Mark Sapiro <mark@msapiro.net>	2021-12-13 10:13:41 -0800
committer	Mark Sapiro <mark@msapiro.net>	2021-12-13 10:13:41 -0800
commit	7d7489577f3012195e1d5b49f5bd5a41a0de115a (patch)
tree	772761f130086d034bd3fdf86a94b38c7693aa86 /Mailman
parent	2d8ebb99b6ce134c92c35502753a5246d4884e1e (diff)
download	mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.tar.gz mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.tar.xz mailman2-7d7489577f3012195e1d5b49f5bd5a41a0de115a.zip