From 0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Mon, 5 Jun 2017 20:48:34 -0700
Subject: Defend against CGI requests with multiple values for the same
 parameter.

---
 Mailman/Cgi/private.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Mailman/Cgi/private.py')

diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 0f7597a2..ce3c6563 100755
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -119,7 +119,7 @@ def main():
 
     cgidata = cgi.FieldStorage()
     try:
-        username = cgidata.getvalue('username', '')
+        username = cgidata.getfirst('username', '')
     except TypeError:
         # Someone crafted a POST with a bad Content-Type:.
         doc.AddItem(Header(2, _("Error")))
@@ -128,7 +128,7 @@ def main():
         print 'Status: 400 Bad Request'
         print doc.Format()
         return
-    password = cgidata.getvalue('password', '')
+    password = cgidata.getfirst('password', '')
 
     is_auth = 0
     realname = mlist.real_name
-- 
cgit v1.2.3


From 4d3f440efd8b01cd16cb0d0644cac5fce3609b46 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Mon, 5 Jun 2017 22:47:05 -0700
Subject: Bumped Copyrights and fixed a bug in prior commit.

---
 Mailman/Cgi/private.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Mailman/Cgi/private.py')

diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index ce3c6563..80369e84 100755
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2017 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
-- 
cgit v1.2.3