From 6f9679030c1c2037a6a12555dbfe02445b012646 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Wed, 16 Sep 2015 17:39:34 -0700
Subject: Defended against a user submitting URLs with query fragments or POST
 data containing multiple occurrences of the same variable.

---
 Mailman/Cgi/options.py | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'Mailman/Cgi')

diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index c400e9fb..7b2c70b5 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -129,6 +129,14 @@ def main():
             return
     else:
         user = Utils.LCDomain(Utils.UnobscureEmail(SLASH.join(parts[1:])))
+    # If a user submits a form or URL with post data or query fragments
+    # with multiple occurrences of the same variable, we can get a list
+    # here.  Be as careful as possible.
+    if isinstance(user, list) or isinstance(user, tuple):
+        if len(user) == 0:
+            user = ''
+        else:
+            user = user[-1]
 
     # Avoid cross-site scripting attacks
     safeuser = Utils.websafe(user)
-- 
cgit v1.2.3