rpms / mailman

Clone
Source Code
GIT

Blame SOURCES/mailman-2.1.29-options_content_njection.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-2.1 c8-stream-2.1 c8s-stream-2.1
  1.   23683d069620ed3a946d4e77a2c6f82d0df7ad24
  2.   SOURCES
  3.   mailman-2.1.29-options_content_njection.patch
Blob History Raw
ff575e 
=== modified file 'Mailman/Cgi/private.py'
ff575e 
--- Mailman/Cgi/private.py	2019-03-06 17:48:32 +0000
ff575e 
+++ Mailman/Cgi/private.py	2020-05-07 13:53:40 +0000
ff575e 
@@ -162,13 +162,9 @@
ff575e 
             if mlist.isMember(username):
ff575e 
                 mlist.MailUserPassword(username)
ff575e 
             elif username:
ff575e 
-                # Not a member
ff575e 
-                if mlist.private_roster == 0:
ff575e 
-                    # Public rosters
ff575e 
-                    safeuser = Utils.websafe(username)
ff575e 
-                    message = Bold(FontSize('+1',
ff575e 
-                                  _('No such member: %(safeuser)s.'))).Format()
ff575e 
-                else:
ff575e 
+                # Not a member. Don't report address in any case. It leads to
ff575e 
+                # Content injection. Just log if roster is not public.
ff575e 
+                if mlist.private_roster != 0:
ff575e 
                     syslog('mischief',
ff575e 
                        'Reminder attempt of non-member w/ private rosters: %s',
ff575e 
                        username)
ff575e
ff575e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation