diff options
Diffstat (limited to 'Mailman/CSRFcheck.py')
-rw-r--r-- | Mailman/CSRFcheck.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py index 9a0b67fc..1fd8b07d 100644 --- a/Mailman/CSRFcheck.py +++ b/Mailman/CSRFcheck.py @@ -85,11 +85,11 @@ def csrf_check(mlist, token, cgi_user=None): # of the fix for CVE-2021-42096 but it must match the user for # whom the options page is requested. raw_user = UnobscureEmail(urllib.unquote(user)) - if cgi_user and cgi_user != raw_user: + if cgi_user and cgi_user.lower() != raw_user.lower(): syslog('mischief', 'Form for user %s submitted with CSRF token ' 'issued for %s.', - options_user, raw_user) + cgi_user, raw_user) return False context = keydict.get(key) key, secret = mlist.AuthContextInfo(context, user) |