diff options
-rw-r--r-- | Mailman/CSRFcheck.py | 4 | ||||
-rw-r--r-- | NEWS | 7 |
2 files changed, 9 insertions, 2 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py index 9a0b67fc..1fd8b07d 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -85,11 +85,11 @@ def csrf_check(mlist, token, cgi_user=None): # of the fix for CVE-2021-42096 but it must match the user for # whom the options page is requested. raw_user = UnobscureEmail(urllib.unquote(user)) - if cgi_user and cgi_user != raw_user: + if cgi_user and cgi_user.lower() != raw_user.lower(): syslog('mischief', 'Form for user %s submitted with CSRF token ' 'issued for %s.', - options_user, raw_user) + cgi_user, raw_user) return False context = keydict.get(key) key, secret = mlist.AuthContextInfo(context, user) @@ -5,6 +5,13 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc. Here is a history of user visible changes to Mailman. +2.1.39 (xx-xxx-xxxx) + + Bug Fixes and other patches + + - User matching for CSRF tokens is no longer case sensitive., and a + potential NamerError in logging is fixed. (LP: #1954694) + 2.1.38 (30-Nov-2021) Security |