← Back to branch summary

~msapiro/mailman/mhonarc

« back to all changes in this revision

Viewing changes to Mailman/Cgi/options.py

  • Committer: Mark Sapiro
  • Date: 2021-10-20 00:53:53 UTC
  • mfrom: (1629.23.62 2.1)
  • Revision ID: mark@msapiro.net-20211020005353-y3mh8ry7zg7inctd
Tags: 2.1.35
Merged from 2.1 branch.

Show diffs side-by-side

added added

removed removed

Lines of Context:
Mailman/Cgi/options.py
54
54
    True = 1
55
55
    False = 0
56
56
 
57
 
AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
58
 
                 mm_cfg.AuthListModerator, mm_cfg.AuthUser)
59
 
 
60
57
 
61
58
def main():
62
59
    global _
124
121
        print doc.Format()
125
122
        return
126
123
 
127
 
    if set(params) - set(safe_params):
128
 
        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'))
129
 
    else:
130
 
        csrf_checked = True
131
 
    # if password is present, void cookie to force password authentication.
132
 
    if cgidata.getfirst('password'):
133
 
        os.environ['HTTP_COOKIE'] = ''
134
 
        csrf_checked = True
135
 
 
136
124
    # Set the language for the page.  If we're coming from the listinfo cgi,
137
125
    # we might have a 'language' key in the cgi data.  That was an explicit
138
126
    # preference to view the page in, so we should honor that here.  If that's
169
157
            user = user[-1].strip()
170
158
 
171
159
    # Avoid cross-site scripting attacks
 
160
    if set(params) - set(safe_params):
 
161
        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
 
162
                                  Utils.UnobscureEmail(urllib.unquote(user)))
 
163
    else:
 
164
        csrf_checked = True
 
165
    # if password is present, void cookie to force password authentication.
 
166
    if cgidata.getfirst('password'):
 
167
        os.environ['HTTP_COOKIE'] = ''
 
168
        csrf_checked = True
 
169
 
172
170
    safeuser = Utils.websafe(user)
173
171
    try:
174
172
        Utils.ValidateEmail(user)
871
869
        mlist.FormatButton('othersubs',
872
870
                           _('List my other subscriptions')))
873
871
    replacements['<mm-form-start>'] = (
 
872
        # Always make the CSRF token for the user. CVE-2021-42096
874
873
        mlist.FormatFormStart('options', user, mlist=mlist, 
875
 
            contexts=AUTH_CONTEXTS, user=user))
 
874
            contexts=[mm_cfg.AuthUser], user=user))
876
875
    replacements['<mm-user>'] = user
877
876
    replacements['<mm-presentable-user>'] = presentable_user
878
877
    replacements['<mm-email-my-pw>'] = mlist.FormatButton(