Description: Arbitrary content injection via Cgi/private.py archive login page
Origin: https://bugs.launchpad.net/mailman/+bug/1877379
Author: Mark Sapiro

=== modified file 'Mailman/Cgi/private.py'
Index: mailman-2.1.26/Mailman/Cgi/private.py
===================================================================
--- mailman-2.1.26.orig/Mailman/Cgi/private.py
+++ mailman-2.1.26/Mailman/Cgi/private.py
@@ -155,13 +155,9 @@ def main():
             if mlist.isMember(username):
                 mlist.MailUserPassword(username)
             elif username:
-                # Not a member
-                if mlist.private_roster == 0:
-                    # Public rosters
-                    safeuser = Utils.websafe(username)
-                    message = Bold(FontSize('+1',
-                                  _('No such member: %(safeuser)s.'))).Format()
-                else:
+                # Not a member. Don't report address in any case. It leads to
+                # Content injection. Just log if roster is not public.
+                if mlist.private_roster != 0:
                     syslog('mischief',
                        'Reminder attempt of non-member w/ private rosters: %s',
                        username)