From f1e9440ad3e4babcdc9999f572f7b4d7929130b1 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 3 Jun 2018 22:19:49 +0200 Subject: Separate data in CSRF token by colon to avoid collisions. This makes the data-to-token function injective. Previously, for example, the list called "list1" and the IP "10.0.0.0" would have the same hash as the list called "list" and the IP "110.0.0.0", as the strings were just concatenated. --- Mailman/Cgi/listinfo.py | 6 +++--- Mailman/Cgi/subscribe.py | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index 78fda942..b55c263d 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -218,9 +218,9 @@ def list_listinfo(mlist, lang): remote = remote.rsplit(':', 1)[0] replacements[''] += ( '\n' - % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - now + - mlist.internal_name() + + % (now, Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + now + ":" + + mlist.internal_name() + ":" + remote ).hexdigest() ) diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index aefce493..b6527a2a 100755 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -173,9 +173,9 @@ def process_form(mlist, doc, cgidata, lang): except ValueError: ftime = fhash = '' then = 0 - token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + - ftime + - mlist.internal_name() + + token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET + ":" + + ftime + ":" + + mlist.internal_name() + ":" + remote1).hexdigest() if ftime and now - then > mm_cfg.FORM_LIFETIME: results.append(_('The form is too old. Please GET it again.')) -- cgit v1.2.3