From bb493df55fe504a0dd4f743ad48837fd18eb9888 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Tue, 5 May 2020 08:08:54 -0700 Subject: Fixed options login content injection vulnerability. --- Mailman/Cgi/options.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Mailman/Cgi/options.py') diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 641ec134..ee2293e2 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -173,7 +173,7 @@ def main(): try: Utils.ValidateEmail(user) except Errors.EmailAddressError: - doc.addError(_('Illegal Email Address: %(safeuser)s')) + doc.addError(_('Illegal Email Address')) loginpage(mlist, doc, None, language) print doc.Format() return -- cgit v1.2.3 From 248ca38ffb4821a131460c9953aa21d6fe7cec04 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Mon, 18 May 2020 10:01:51 -0700 Subject: Extend REFUSE_SECOND_PENDING to unsubscription as well. --- Mailman/Cgi/options.py | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Mailman/Cgi/options.py') diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index ee2293e2..1037f8f9 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -206,6 +206,7 @@ def main(): # Are we processing an unsubscription request from the login screen? msgc = _('If you are a list member, a confirmation email has been sent.') + msgb = _('You already have a subscription pending confirmation') msga = _("""If you are a list member, your unsubscription request has been forwarded to the list administrator for approval.""") if cgidata.has_key('login-unsub'): @@ -228,6 +229,8 @@ def main(): mlist.ConfirmUnsubscription(user, userlang, remote=ip) doc.addError(msgc, tag='') mlist.Save() + except Errors.MMAlreadyPending: + doc.addError(msgb) finally: mlist.Unlock() else: -- cgit v1.2.3