aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman/Cgi/options.py (unfollow)
Commit message (Collapse)AuthorFilesLines
2020-05-18Extend REFUSE_SECOND_PENDING to unsubscription as well.Mark Sapiro1-0/+3
2020-05-05Fixed options login content injection vulnerability.Mark Sapiro1-1/+1
2019-03-06Strip leading/trailing spaces from login email for private and options login.Mark Sapiro1-2/+3
2018-12-30Corrected and augmented some security log messages.Mark Sapiro1-1/+1
2018-06-18Added global _ where needed.Mark Sapiro1-0/+1
2018-06-16enhance i18n in admin(un)?subscribeack messagesYasuhito FUTATSUKI at POEM1-1/+2
2018-06-10Changes based on feedback from Mark.Jim Popovitch1-4/+6
2018-02-04Fix XSS and info leak in options CGI - CVE-2018-5950Mark Sapiro1-15/+17
2017-06-07Reverted another getfirst in the multi-value CGI defence.Mark Sapiro1-1/+1
2017-06-05Bumped Copyrights and fixed a bug in prior commit.Mark Sapiro1-1/+1
2017-06-05Defend against CGI requests with multiple values for the same parameter.Mark Sapiro1-22/+22
2017-06-04Fixed a regression in Cgi/options.py.Mark Sapiro1-12/+12
2016-08-26Fixes for CVE-2016-6893 and more.Mark Sapiro1-1/+27
2016-07-14Catch TypeError from certain defective crafted POST requests.Mark Sapiro1-2/+12
2015-12-06Submitting the user options form for a user who was asynchronouslyMark Sapiro1-0/+8
unsubscribed would throw an uncaught NotAMemberError.
2015-09-16Defended against a user submitting URLs with query fragments or POSTMark Sapiro1-0/+8
data containing multiple occurrences of the same variable.
2015-07-20Don't show digest options on user's options page for non-digestable lists.Mark Sapiro1-2/+8
2015-06-23Support for HTTP_X_FORWARDED_FOR and HTTP_FORWARDED_FOR (RFC 7239) Jim Popovitch1-3/+10
2015-01-22A number of changes from the unofficial 2.2 branch have been backported toMark Sapiro1-15/+17
the 2.1 branch for release with 2.1.19. The 2.2 branch is now no different from the 2.1 branch and will no longer be maintained.
2014-11-07Catch the NotAMemberError exception thrown if an authenticatedMark Sapiro1-0/+7
unsubscribe is submitted from the user options page for a nonmember.
2014-09-21The options CGI now rejects all but HTTP GET and POST requests.Mark Sapiro1-0/+12
2014-03-21 - Added the list name to the vette log "held message approved" entry.Mark Sapiro1-2/+2
(LP: 1295875) - Added the CGI module name to various "No such list" error log entries. (LP: 1295875) - Modified contrib/mmdsr to report module name if present in "No such list error log entries.
2011-06-07The user options 'list my other subscriptions' page now indicates forMark Sapiro1-0/+6
each list if the subscription is 'nomail' or 'digest'. Bug #793669.
2011-05-09Prevented setting user passwords with leading/trailing whitespace. Bug #778088.Mark Sapiro1-3/+3
2010-07-27Changed the member options login page unsubscribe request to include theMark Sapiro1-1/+2
requesters IP address in the confirmation request. Bug #610527.
2010-03-29Added roster to the CGIs that return HTTP 401 status for an authenticationMark Sapiro1-0/+2
failure, and return HTTP 404 status from all CGIs for an invalid list name.
2010-02-04We now give an HTTP 401 status for authentication failures from admin,Mark Sapiro1-1/+3
admindb, private and options logins.
2008-04-14options.py - Made the ability for a list admin to change a members passwordMark Sapiro1-0/+8
conditional on mm_cfg.OWNERS_CAN_CHANGE_MEMBER_PASSWORDS. Defaults.py.in - Added OWNERS_CAN_CHANGE_MEMBER_PASSWORDS = No.
2008-03-06CookHeaders.py - Changed the first URL in the RFC 2369 List-Unsubscribe:Mark Sapiro1-4/+7
header to go to the options login page instead of the listinfo page. options.py - Changed to only issue the "No address given" error if coming from the page itself so we don't get the error when linking from another page or the List-Unsubscribe: header. - Changed to remember the user's language selection when redisplaying the page after an error.
2007-11-04- Cgi/options.py - fixed to not present the "empty" topic to user.Mark Sapiro1-1/+3
- Handlers/CalcRecips.py - Changed to not process topics if topics are disabled for the list.
2006-08-30CVE-2006-3636. Fixes for various cross-site scripting issues. Discovery bybwarsaw1-2/+2
Moritz Naumann and most of the repair work done by Mark Sapiro (with some additional work by Barry).
2005-12-03Improving banned subscription logic to cover all invites, subscribes, ↵msapiro1-0/+5
address changes and confirmations of same.
2005-11-30As of 2.1.6, List admins can change user's option/subscription globally.tkikuchi1-11/+56
This is not good if list admin cannot be fully trusted. This patch disables the list admin's ability of changing the user option/subscription globally; changes are effective only within the list. Site admin can change globally if mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set Yes.
2005-08-27FSF office has moved to 51 Franklin Street.tkikuchi1-1/+1
2004-02-29main(): The list lock must be held in order to pend unsubscription requests.bwarsaw1-12/+13
2004-02-17main(): It's possible that if you're logged in as the list admin, you can getbwarsaw1-3/+5
to the end of the function trying to present the options page for a non-existant user, causing a traceback. At the last second, do one more isMember() check and return the loginpage if the address isn't a member of the list.
2003-11-03main(): Fix for bug #832748, where unsubscribe_policy was beingbwarsaw1-4/+24
ignored for the unsub button on the member login page. Report and original patch by Pasi Sjoholm, modify by Barry. Forward port candidate.
2003-02-08Backporting from the trunk.bwarsaw1-15/+26
2003-01-02main(): In the change-of-address section, we only want to show thebwarsaw1-3/+5
"you are already using that email address" message if the newaddress matches the case-preserved (subscribed) address. Also, in the set_address section, if cpuser is None, set it to the the user address, since that's what we'll use now as the old address in the ChangeMemberAddress() call. This and related changes should fix problems when the address we're changing to differs for the current address by case only.