diff options
| author | Mark Sapiro <mark@msapiro.net> | 2020-05-07 06:53:40 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2020-05-07 06:53:40 -0700 |
| commit | 80d4f2a79a1e461a9e434062e02239ccc2448749 (patch) | |
| tree | a62517448a4d7945995f74e9739d0574ba5d7033 /Mailman | |
| parent | f7ec5a7da93b99d385b353ac6505719834cb764e (diff) | |
| download | mailman2-80d4f2a79a1e461a9e434062e02239ccc2448749.tar.gz mailman2-80d4f2a79a1e461a9e434062e02239ccc2448749.tar.xz mailman2-80d4f2a79a1e461a9e434062e02239ccc2448749.zip | |
Fixed content injection vulnerability via the private login page.
Diffstat (limited to 'Mailman')
| -rw-r--r-- | Mailman/Cgi/private.py | 10 |
1 files changed, 3 insertions, 7 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py index 731e2d19..4b6f2501 100644 --- a/Mailman/Cgi/private.py +++ b/Mailman/Cgi/private.py @@ -162,13 +162,9 @@ def main(): if mlist.isMember(username): mlist.MailUserPassword(username) elif username: - # Not a member - if mlist.private_roster == 0: - # Public rosters - safeuser = Utils.websafe(username) - message = Bold(FontSize('+1', - _('No such member: %(safeuser)s.'))).Format() - else: + # Not a member. Don't report address in any case. It leads to + # Content injection. Just log if roster is not public. + if mlist.private_roster != 0: syslog('mischief', 'Reminder attempt of non-member w/ private rosters: %s', username) |