diff options
| -rw-r--r-- | Mailman/CSRFcheck.py | 7 | ||||
| -rwxr-xr-x | NEWS | 3 |
2 files changed, 7 insertions, 3 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py index a3b6885a..d531ffc2 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -1,4 +1,4 @@ -# Copyright (C) 2011-2012 by the Free Software Foundation, Inc. +# Copyright (C) 2011-2013 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -55,8 +55,9 @@ def csrf_check(mlist, token): try: issued, keymac = marshal.loads(binascii.unhexlify(token)) key, received_mac = keymac.split(':', 1) - klist, key = key.split('+', 1) - assert klist == mlist.internal_name() + if not key.startswith(mlist.internal_name() + '+'): + return False + key = key[len(mlist.internal_name()) + 1:] if '+' in key: key, user = key.split('+', 1) else: @@ -61,6 +61,9 @@ Here is a history of user visible changes to Mailman. Bug Fixes and other patches + - Fixed a bug causing the admin web interface to fail CSRF checking if + the list name contains a '+' character. (LP: #1190802) + - Fixed bin/mailmanctl -s to not remove the master lock if it can't be determined to be truly stale. (LP: #1189558) |