~mailman-coders/mailman/2.1

« back to all changes in this revision

Viewing changes to Mailman/Cgi/options.py

  • Committer: Mark Sapiro
  • Date: 2023-04-05 23:46:40 UTC
  • Revision ID: mark@msapiro.net-20230405234640-ch6cymtar5k81c5h
Fixed another possible list membership leak via the user options CGI.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
 
1
# Copyright (C) 1998-2023 by the Free Software Foundation, Inc.
2
2
#
3
3
# This program is free software; you can redistribute it and/or
4
4
# modify it under the terms of the GNU General Public License
294
294
        # to authenticate via cgi (instead of cookie), then print an error
295
295
        # message.
296
296
        if cgidata.has_key('password'):
297
 
            doc.addError(_('Authentication failed.'))
 
297
            if mlist.private_roster == 0:
 
298
                # Only add error with public rosters lp: #2015416
 
299
                doc.addError(_('Authentication failed.'))
298
300
            remote = os.environ.get('HTTP_FORWARDED_FOR',
299
301
                     os.environ.get('HTTP_X_FORWARDED_FOR',
300
302
                     os.environ.get('REMOTE_ADDR',
310
312
                       user, remote)
311
313
                user = None
312
314
            # give an HTTP 401 for authentication failure
313
 
            print 'Status: 401 Unauthorized'
 
315
            if mlist.private_roster == 0:
 
316
                # Only add error with public rosters lp: #2015416
 
317
                print 'Status: 401 Unauthorized'
314
318
        loginpage(mlist, doc, user, language)
315
319
        print doc.Format()
316
320
        return