mailman/CVE-2020-15011.patch

Description: Arbitrary content injection via Cgi/private.py archive login page
Origin: https://bugs.launchpad.net/mailman/+bug/1877379
Author: Mark Sapiro

=== modified file 'Mailman/Cgi/private.py'
Index: mailman-2.1.26/Mailman/Cgi/private.py
===================================================================
--- mailman-2.1.26.orig/Mailman/Cgi/private.py
+++ mailman-2.1.26/Mailman/Cgi/private.py
@@ -155,13 +155,9 @@ def main():
             if mlist.isMember(username):
                 mlist.MailUserPassword(username)
             elif username:
-                # Not a member
-                if mlist.private_roster == 0:
-                    # Public rosters
-                    safeuser = Utils.websafe(username)
-                    message = Bold(FontSize('+1',
-                                  _('No such member: %(safeuser)s.'))).Format()
-                else:
+                # Not a member. Don't report address in any case. It leads to
+                # Content injection. Just log if roster is not public.
+                if mlist.private_roster != 0:
                     syslog('mischief',
                        'Reminder attempt of non-member w/ private rosters: %s',
                        username)
fix CVE-2020-15011 (cherry picked from commit 743d820ab532a7b5a2c006bc31a52986139210ff) 2021-10-25 14:53:54 +08:00			`Description: Arbitrary content injection via Cgi/private.py archive login page`
			`Origin: https://bugs.launchpad.net/mailman/+bug/1877379`
			`Author: Mark Sapiro`

			`=== modified file 'Mailman/Cgi/private.py'`
			`Index: mailman-2.1.26/Mailman/Cgi/private.py`
			`===================================================================`
			`--- mailman-2.1.26.orig/Mailman/Cgi/private.py`
			`+++ mailman-2.1.26/Mailman/Cgi/private.py`
			`@@ -155,13 +155,9 @@ def main():`
			`if mlist.isMember(username):`
			`mlist.MailUserPassword(username)`
			`elif username:`
			`- # Not a member`
			`- if mlist.private_roster == 0:`
			`- # Public rosters`
			`- safeuser = Utils.websafe(username)`
			`- message = Bold(FontSize('+1',`
			`- _('No such member: %(safeuser)s.'))).Format()`
			`- else:`
			`+ # Not a member. Don't report address in any case. It leads to`
			`+ # Content injection. Just log if roster is not public.`
			`+ if mlist.private_roster != 0:`
			`syslog('mischief',`
			`'Reminder attempt of non-member w/ private rosters: %s',`
			`username)`