From 3c41c584c3bd587e0d38ab48ba63a47ead2b18e3 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Thu, 13 Jun 2013 17:48:43 -0700
Subject: - Fixed a bug causing the admin web interface to fail CSRF checking
 if   the list name contains a '+' character.  (LP: #1190802)

---
 Mailman/CSRFcheck.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'Mailman/CSRFcheck.py')

diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py
index a3b6885a..d531ffc2 100644
--- a/Mailman/CSRFcheck.py
+++ b/Mailman/CSRFcheck.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2011-2012 by the Free Software Foundation, Inc.
+# Copyright (C) 2011-2013 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -55,8 +55,9 @@ def csrf_check(mlist, token):
     try:
         issued, keymac = marshal.loads(binascii.unhexlify(token))
         key, received_mac = keymac.split(':', 1)
-        klist, key = key.split('+', 1)
-        assert klist == mlist.internal_name()
+        if not key.startswith(mlist.internal_name() + '+'):
+            return False
+        key = key[len(mlist.internal_name()) + 1:]
         if '+' in key:
             key, user = key.split('+', 1)
         else:
-- 
cgit v1.2.3