From 80d4f2a79a1e461a9e434062e02239ccc2448749 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Thu, 7 May 2020 06:53:40 -0700
Subject: Fixed content injection vulnerability via the private login page.

---
 Mailman/Cgi/private.py | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

(limited to 'Mailman')

diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 731e2d19..4b6f2501 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -162,13 +162,9 @@ def main():
             if mlist.isMember(username):
                 mlist.MailUserPassword(username)
             elif username:
-                # Not a member
-                if mlist.private_roster == 0:
-                    # Public rosters
-                    safeuser = Utils.websafe(username)
-                    message = Bold(FontSize('+1',
-                                  _('No such member: %(safeuser)s.'))).Format()
-                else:
+                # Not a member. Don't report address in any case. It leads to
+                # Content injection. Just log if roster is not public.
+                if mlist.private_roster != 0:
                     syslog('mischief',
                        'Reminder attempt of non-member w/ private rosters: %s',
                        username)
-- 
cgit v1.2.3