From 97991cac52b604276f8751828d291c1b2002d9f7 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Fri, 26 Aug 2016 20:47:49 -0700
Subject: Fixes for CVE-2016-6893 and more.

---
 Mailman/HTMLFormatter.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'Mailman/HTMLFormatter.py')

diff --git a/Mailman/HTMLFormatter.py b/Mailman/HTMLFormatter.py
index 901e7e58..5fcce75b 100644
--- a/Mailman/HTMLFormatter.py
+++ b/Mailman/HTMLFormatter.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -28,6 +28,8 @@ from Mailman.htmlformat import *
 
 from Mailman.i18n import _
 
+from Mailman.CSRFcheck import csrf_token
+
 
 EMPTYSTRING = ''
 BR = '<br>'
@@ -317,12 +319,17 @@ class HTMLFormatter:
             container.AddItem("</center>")
         return container
 
-    def FormatFormStart(self, name, extra=''):
+    def FormatFormStart(self, name, extra='',
+                        mlist=None, contexts=None, user=None):
         base_url = self.GetScriptURL(name)
         if extra:
             full_url = "%s/%s" % (base_url, extra)
         else:
             full_url = base_url
+        if mlist:
+            return ("""<form method="POST" action="%s">
+<input type="hidden" name="csrf_token" value="%s">""" 
+                % (full_url, csrf_token(mlist, contexts, user)))
         return ('<FORM Method=POST ACTION="%s">' % full_url)
 
     def FormatArchiveAnchor(self):
-- 
cgit v1.2.3