"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "Mailman/CSRFcheck.py" between
mailman-2.1.38.tgz and mailman-2.1.39.tgz

About: Mailman 2 - The GNU Mailing List Management System.

CSRFcheck.py  (mailman-2.1.38.tgz):CSRFcheck.py  (mailman-2.1.39.tgz)
skipping to change at line 85 skipping to change at line 85
if key not in ('moderator', 'admin', 'site'): if key not in ('moderator', 'admin', 'site'):
syslog('mischief', syslog('mischief',
'admindb form submitted with CSRF token issued for %s.', 'admindb form submitted with CSRF token issued for %s.',
key + '+' + user if user else key) key + '+' + user if user else key)
return False return False
if user: if user:
# This is for CVE-2021-42097. The token is a user token because # This is for CVE-2021-42097. The token is a user token because
# of the fix for CVE-2021-42096 but it must match the user for # of the fix for CVE-2021-42096 but it must match the user for
# whom the options page is requested. # whom the options page is requested.
raw_user = UnobscureEmail(urllib.unquote(user)) raw_user = UnobscureEmail(urllib.unquote(user))
if cgi_user and cgi_user != raw_user: if cgi_user and cgi_user.lower() != raw_user.lower():
syslog('mischief', syslog('mischief',
'Form for user %s submitted with CSRF token ' 'Form for user %s submitted with CSRF token '
'issued for %s.', 'issued for %s.',
options_user, raw_user) cgi_user, raw_user)
return False return False
context = keydict.get(key) context = keydict.get(key)
key, secret = mlist.AuthContextInfo(context, user) key, secret = mlist.AuthContextInfo(context, user)
assert key assert key
mac = sha_new(secret + `issued`).hexdigest() mac = sha_new(secret + `issued`).hexdigest()
if (mac == received_mac if (mac == received_mac
and 0 < time.time() - issued < mm_cfg.FORM_LIFETIME): and 0 < time.time() - issued < mm_cfg.FORM_LIFETIME):
return True return True
return False return False
except (AssertionError, ValueError, TypeError): except (AssertionError, ValueError, TypeError):
 End of changes. 2 change blocks. 
2 lines changed or deleted 2 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)