diff options
| -rw-r--r-- | Mailman/Cgi/options.py | 24 | ||||
| -rw-r--r-- | NEWS | 3 |
2 files changed, 15 insertions, 12 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index faf732da..0bfa510a 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -110,7 +110,17 @@ def main(): # CSRF check safe_params = ['displang-button', 'language', 'email', 'password', 'login', 'login-unsub', 'login-remind', 'VARHELP', 'UserOptions'] - params = cgidata.keys() + try: + params = cgidata.keys() + except TypeError: + # Someone crafted a POST with a bad Content-Type:. + doc.AddItem(Header(2, _("Error"))) + doc.AddItem(Bold(_('Invalid options to CGI script.'))) + # Send this with a 400 status. + print 'Status: 400 Bad Request' + print doc.Format() + return + if set(params) - set(safe_params): csrf_checked = csrf_check(mlist, cgidata.getvalue('csrf_token')) else: @@ -124,17 +134,7 @@ def main(): # we might have a 'language' key in the cgi data. That was an explicit # preference to view the page in, so we should honor that here. If that's # not available, use the list's default language. - try: - language = cgidata.getvalue('language') - except TypeError: - # Someone crafted a POST with a bad Content-Type:. - doc.AddItem(Header(2, _("Error"))) - doc.AddItem(Bold(_('Invalid options to CGI script.'))) - # Send this with a 400 status. - print 'Status: 400 Bad Request' - print doc.Format() - return - + language = cgidata.getvalue('language') if not Utils.IsLanguage(language): language = mlist.preferred_language i18n.set_language(language) @@ -9,6 +9,9 @@ Here is a history of user visible changes to Mailman. Bug fixes and other patches + - The fix for LP: #1614841 caused a regression in the options CGI. This + has been fixed. (LP: #1602608) + - Added a -a option to the (e)grep commands in contrib/mmdsr to account for logs that may have non-ascii and be seen as binary. |