From ccc55497603d5079bd2f95045f42a26a351811c6 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Wed, 6 Mar 2019 09:48:32 -0800
Subject: Strip leading/trailing spaces from login email for private and
 options login.

---
 Mailman/Cgi/options.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'Mailman/Cgi/options.py')

diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 3a3b7841..641ec134 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -144,7 +144,7 @@ def main():
     doc.set_language(language)
 
     if lenparts < 2:
-        user = cgidata.getfirst('email')
+        user = cgidata.getfirst('email', '').strip()
         if not user:
             # If we're coming from the listinfo page and we left the email
             # address field blank, it's not an error.  Likewise if we're
@@ -161,11 +161,12 @@ def main():
     # If a user submits a form or URL with post data or query fragments
     # with multiple occurrences of the same variable, we can get a list
     # here.  Be as careful as possible.
+    # This is no longer required because of getfirst() above, but leave it.
     if isinstance(user, list) or isinstance(user, tuple):
         if len(user) == 0:
             user = ''
         else:
-            user = user[-1]
+            user = user[-1].strip()
 
     # Avoid cross-site scripting attacks
     safeuser = Utils.websafe(user)
-- 
cgit v1.2.3