From 0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Mon, 5 Jun 2017 20:48:34 -0700
Subject: Defend against CGI requests with multiple values for the same
 parameter.

---
 Mailman/Cgi/roster.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'Mailman/Cgi/roster.py')

diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py
index cb6847af..739d4fff 100644
--- a/Mailman/Cgi/roster.py
+++ b/Mailman/Cgi/roster.py
@@ -64,7 +64,7 @@ def main():
 
     # messages in form should go in selected language (if any...)
     try:
-        lang = cgidata.getvalue('language')
+        lang = cgidata.getfirst('language')
     except TypeError:
         # Someone crafted a POST with a bad Content-Type:.
         doc = Document()
@@ -85,8 +85,8 @@ def main():
     # "admin"-only, then we try to cookie authenticate the user, and failing
     # that, we check roster-email and roster-pw fields for a valid password.
     # (also allowed: the list moderator, the list admin, and the site admin).
-    password = cgidata.getvalue('roster-pw', '').strip()
-    addr = cgidata.getvalue('roster-email', '').strip()
+    password = cgidata.getfirst('roster-pw', '').strip()
+    addr = cgidata.getfirst('roster-email', '').strip()
     list_hidden = (not mlist.WebAuthenticate((mm_cfg.AuthUser,),
                                              password, addr)
                    and mlist.WebAuthenticate((mm_cfg.AuthListModerator,
-- 
cgit v1.2.3