From 0d11dc90ee6fc9cc61d32ca3ea6819ca95ac1c12 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Mon, 5 Jun 2017 20:48:34 -0700
Subject: Defend against CGI requests with multiple values for the same
 parameter.

---
 Mailman/Gui/Privacy.py |  6 +++---
 Mailman/Gui/Topics.py  | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

(limited to 'Mailman/Gui')

diff --git a/Mailman/Gui/Privacy.py b/Mailman/Gui/Privacy.py
index 2a9cca26..f6de8a32 100644
--- a/Mailman/Gui/Privacy.py
+++ b/Mailman/Gui/Privacy.py
@@ -641,9 +641,9 @@ class Privacy(GUIBase):
             if cgidata.has_key(deltag):
                 continue
             # Get the data for the current box
-            pattern = cgidata.getvalue(reboxtag)
+            pattern = cgidata.getfirst(reboxtag)
             try:
-                action  = int(cgidata.getvalue(actiontag))
+                action  = int(cgidata.getfirst(actiontag))
                 # We'll get a TypeError when the actiontag is missing and the
                 # .getvalue() call returns None.
             except (ValueError, TypeError):
@@ -682,7 +682,7 @@ class Privacy(GUIBase):
             # Was this an add item?
             if cgidata.has_key(addtag):
                 # Where should the new one be added?
-                where = cgidata.getvalue(wheretag)
+                where = cgidata.getfirst(wheretag)
                 if where == 'before':
                     # Add a new empty rule box before the current one
                     rules.append(('', mm_cfg.DEFER, True))
diff --git a/Mailman/Gui/Topics.py b/Mailman/Gui/Topics.py
index ec60dbda..642059e5 100644
--- a/Mailman/Gui/Topics.py
+++ b/Mailman/Gui/Topics.py
@@ -114,9 +114,9 @@ class Topics(GUIBase):
             if cgidata.has_key(deltag):
                 continue
             # Get the data for the current box
-            name  = cgidata.getvalue(boxtag)
-            pattern = cgidata.getvalue(reboxtag)
-            desc  = cgidata.getvalue(desctag)
+            name  = cgidata.getfirst(boxtag)
+            pattern = cgidata.getfirst(reboxtag)
+            desc  = cgidata.getfirst(desctag)
             if name is None:
                 # We came to the end of the boxes
                 break
@@ -138,7 +138,7 @@ class Topics(GUIBase):
             # Was this an add item?
             if cgidata.has_key(addtag):
                 # Where should the new one be added?
-                where = cgidata.getvalue(wheretag)
+                where = cgidata.getfirst(wheretag)
                 if where == 'before':
                     # Add a new empty topics box before the current one
                     topics.append(('', '', '', True))
@@ -154,14 +154,14 @@ class Topics(GUIBase):
         # options.
         mlist.topics = topics
         try:
-            mlist.topics_enabled = int(cgidata.getvalue(
+            mlist.topics_enabled = int(cgidata.getfirst(
                 'topics_enabled',
                 mlist.topics_enabled))
         except ValueError:
             # BAW: should really print a warning
             pass
         try:
-            mlist.topics_bodylines_limit = int(cgidata.getvalue(
+            mlist.topics_bodylines_limit = int(cgidata.getfirst(
                 'topics_bodylines_limit',
                 mlist.topics_bodylines_limit))
         except ValueError:
-- 
cgit v1.2.3