~msapiro/mailman/htdig

« back to all changes in this revision

Viewing changes to Mailman/CSRFcheck.py

  • Committer: Mark Sapiro
  • Date: 2021-12-13 20:40:59 UTC
  • mfrom: (1629.23.73 2.1)
  • Revision ID: mark@msapiro.net-20211213204059-lzqosg6k9rv7cp58
Tags: 2.1.39
Merged from 2.1 branch.

Show diffs side-by-side

added added

removed removed

Lines of Context:
85
85
            # of the fix for CVE-2021-42096 but it must match the user for
86
86
            # whom the options page is requested.
87
87
            raw_user = UnobscureEmail(urllib.unquote(user))
88
 
            if cgi_user and cgi_user != raw_user:
 
88
            if cgi_user and cgi_user.lower() != raw_user.lower():
89
89
                syslog('mischief',
90
90
                       'Form for user %s submitted with CSRF token '
91
91
                       'issued for %s.',
92
 
                       options_user, raw_user)
 
92
                       cgi_user, raw_user)
93
93
                return False
94
94
        context = keydict.get(key)
95
95
        key, secret = mlist.AuthContextInfo(context, user)