Blame SOURCES/mailman-2.1.29-options_content_njection.patch

7bc412
=== modified file 'Mailman/Cgi/private.py'
7bc412
--- Mailman/Cgi/private.py	2019-03-06 17:48:32 +0000
7bc412
+++ Mailman/Cgi/private.py	2020-05-07 13:53:40 +0000
7bc412
@@ -162,13 +162,9 @@
7bc412
             if mlist.isMember(username):
7bc412
                 mlist.MailUserPassword(username)
7bc412
             elif username:
7bc412
-                # Not a member
7bc412
-                if mlist.private_roster == 0:
7bc412
-                    # Public rosters
7bc412
-                    safeuser = Utils.websafe(username)
7bc412
-                    message = Bold(FontSize('+1',
7bc412
-                                  _('No such member: %(safeuser)s.'))).Format()
7bc412
-                else:
7bc412
+                # Not a member. Don't report address in any case. It leads to
7bc412
+                # Content injection. Just log if roster is not public.
7bc412
+                if mlist.private_roster != 0:
7bc412
                     syslog('mischief',
7bc412
                        'Reminder attempt of non-member w/ private rosters: %s',
7bc412
                        username)
7bc412
7bc412