packages/mailman
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailman/CVE-2020-15011.patch
starlet-dx 84e068463d fix CVE-2020-15011 
(cherry picked from commit 743d820ab532a7b5a2c006bc31a52986139210ff)
2021-10-25 15:28:53 +08:00

27 lines
1.2 KiB
Diff
Raw Blame History

Description: Arbitrary content injection via Cgi/private.py archive login page
Origin: https://bugs.launchpad.net/mailman/+bug/1877379
Author: Mark Sapiro
=== modified file 'Mailman/Cgi/private.py'
Index: mailman-2.1.26/Mailman/Cgi/private.py
===================================================================
--- mailman-2.1.26.orig/Mailman/Cgi/private.py
+++ mailman-2.1.26/Mailman/Cgi/private.py
@@ -155,13 +155,9 @@ def main():
if mlist.isMember(username):
mlist.MailUserPassword(username)
elif username:
- # Not a member
- if mlist.private_roster == 0:
- # Public rosters
- safeuser = Utils.websafe(username)
- message = Bold(FontSize('+1',
- _('No such member: %(safeuser)s.'))).Format()
- else:
+ # Not a member. Don't report address in any case. It leads to
+ # Content injection. Just log if roster is not public.
+ if mlist.private_roster != 0:
syslog('mischief',
'Reminder attempt of non-member w/ private rosters: %s',
username)
Reference in New Issue View Git Blame Copy Permalink