From 97991cac52b604276f8751828d291c1b2002d9f7 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Fri, 26 Aug 2016 20:47:49 -0700
Subject: Fixes for CVE-2016-6893 and more.

---
 Mailman/htmlformat.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'Mailman/htmlformat.py')

diff --git a/Mailman/htmlformat.py b/Mailman/htmlformat.py
index 2770eb60..f144c069 100755
--- a/Mailman/htmlformat.py
+++ b/Mailman/htmlformat.py
@@ -407,13 +407,14 @@ class Center(StdContainer):
 
 class Form(Container):
     def __init__(self, action='', method='POST', encoding=None, 
-                       mlist=None, contexts=None, *items):
+                       mlist=None, contexts=None, user=None, *items):
         apply(Container.__init__, (self,) +  items)
         self.action = action
         self.method = method
         self.encoding = encoding
         self.mlist = mlist
         self.contexts = contexts
+        self.user = user
 
     def set_action(self, action):
         self.action = action
@@ -428,7 +429,7 @@ class Form(Container):
         if self.mlist:
             output = output + \
                 '<input type="hidden" name="csrf_token" value="%s">\n' \
-                % csrf_token(self.mlist, self.contexts)
+                % csrf_token(self.mlist, self.contexts, self.user)
         output = output + Container.Format(self, indent+2)
         output = '%s\n%s</FORM>\n' % (output, spaces)
         return output
-- 
cgit v1.2.3