aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Mailman/Cgi/options.py6
-rw-r--r--Mailman/Cgi/roster.py6
-rw-r--r--Mailman/Cgi/subscribe.py8
-rw-r--r--NEWS4
4 files changed, 12 insertions, 12 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 6841ae64..6316af6e 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -434,8 +434,8 @@ address. Upon confirmation, any other mailing list containing the address
options_page(mlist, doc, user, cpuser, userlang)
print doc.Format()
return
- newpw = cgidata.getvalue('newpw')
- confirmpw = cgidata.getvalue('confpw')
+ newpw = cgidata.getvalue('newpw', '').strip()
+ confirmpw = cgidata.getvalue('confpw', '').strip()
if not newpw or not confirmpw:
options_page(mlist, doc, user, cpuser, userlang,
_('Passwords may not be blank'))
diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py
index d31608ff..6260c973 100644
--- a/Mailman/Cgi/roster.py
+++ b/Mailman/Cgi/roster.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -73,8 +73,8 @@ def main():
# "admin"-only, then we try to cookie authenticate the user, and failing
# that, we check roster-email and roster-pw fields for a valid password.
# (also allowed: the list moderator, the list admin, and the site admin).
- password = cgidata.getvalue('roster-pw', '')
- addr = cgidata.getvalue('roster-email', '')
+ password = cgidata.getvalue('roster-pw', '').strip()
+ addr = cgidata.getvalue('roster-email', '').strip()
list_hidden = (not mlist.WebAuthenticate((mm_cfg.AuthUser,),
password, addr)
and mlist.WebAuthenticate((mm_cfg.AuthListModerator,
diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py
index 0d10eb19..7c49c51c 100644
--- a/Mailman/Cgi/subscribe.py
+++ b/Mailman/Cgi/subscribe.py
@@ -125,12 +125,12 @@ def process_form(mlist, doc, cgidata, lang):
syslog('mischief', 'Attempt to self subscribe %s: %s', email, remote)
results.append(_('You may not subscribe a list to itself!'))
# If the user did not supply a password, generate one for him
- password = cgidata.getvalue('pw')
- confirmed = cgidata.getvalue('pw-conf')
+ password = cgidata.getvalue('pw', '').strip()
+ confirmed = cgidata.getvalue('pw-conf', '').strip()
- if password is None and confirmed is None:
+ if not password and not confirmed:
password = Utils.MakeRandomPassword()
- elif password is None or confirmed is None:
+ elif not password or not confirmed:
results.append(_('If you supply a password, you must confirm it.'))
elif password <> confirmed:
results.append(_('Your passwords did not match.'))
diff --git a/NEWS b/NEWS
index f6287bb7..02604231 100644
--- a/NEWS
+++ b/NEWS
@@ -55,8 +55,8 @@ Here is a history of user visible changes to Mailman.
Bug Fixes and other patches
- - Strengthened escaping of user web data by including some characters that
- some older browsers misinterpret as < or >.
+ - Prevented setting user passwords with leading/trailing whitespace.
+ Bug #778088.
- Mailman now sets the 'secure' flag in cookies set via https URLs.
Bug #770377.