diff options
Diffstat (limited to 'Mailman/Cgi/options.py')
-rw-r--r-- | Mailman/Cgi/options.py | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 3db0a172..af6e3add 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -156,17 +156,6 @@ def main(): else: user = user[-1].strip() - # Avoid cross-site scripting attacks - if set(params) - set(safe_params): - csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), - Utils.UnobscureEmail(urllib.unquote(user))) - else: - csrf_checked = True - # if password is present, void cookie to force password authentication. - if cgidata.getfirst('password'): - os.environ['HTTP_COOKIE'] = '' - csrf_checked = True - safeuser = Utils.websafe(user) try: Utils.ValidateEmail(user) @@ -183,6 +172,17 @@ def main(): print doc.Format() return + # Avoid cross-site scripting attacks + if set(params) - set(safe_params): + csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), + Utils.UnobscureEmail(urllib.unquote(user))) + else: + csrf_checked = True + # if password is present, void cookie to force password authentication. + if cgidata.getfirst('password'): + os.environ['HTTP_COOKIE'] = '' + csrf_checked = True + # Find the case preserved email address (the one the user subscribed with) lcuser = user.lower() try: |