3 files changed, 20 insertions, 0 deletions

diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 853a3922..c1c08659 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -52,6 +52,18 @@ def main():
     doc = Document()
     doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
 
+    method = Utils.GetRequestMethod()
+    if method.lower() not in ('get', 'post'):
+        title = _('CGI script error')
+        doc.SetTitle(title)
+        doc.AddItem(Header(2, title))
+        doc.addError(_('Invalid request method: %(method)s'))
+        doc.AddItem('<hr>')
+        doc.AddItem(MailmanLogo())
+        print 'Status: 405 Method Not Allowed'
+        print doc.Format()
+        return
+
     parts = Utils.GetPathPieces()
     lenparts = parts and len(parts)
     if not parts or lenparts < 1:
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 1bbb9bb1..1a08c119 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -261,6 +261,11 @@ def GetPathPieces(envar='PATH_INFO'):
 
 
 
+def GetRequestMethod():
+    return os.environ.get('REQUEST_METHOD')
+
+
+
 def ScriptURL(target, web_page_url=None, absolute=False):
     """target - scriptname only, nothing extra
     web_page_url - the list's configvar of the same name
diff --git a/NEWS b/NEWS
index e668ce9e..37371e6a 100755
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,9 @@ Here is a history of user visible changes to Mailman.
 
   Bug fixes and other patches
 
+    - The options CGI now rejects all but HTTP GET and POST requests.
+      (LP: #1372199)
+
     - A list's poster password will now be accepted on an Urgent: header.
       (LP: #1371678)