From b3610954779fbd5a97876bebee4734829106537d Mon Sep 17 00:00:00 2001
From: Mark Sapiro <msapiro@value.net>
Date: Thu, 23 Feb 2012 08:22:11 -0800
Subject: Added a few more safe_params to the CSRF check.

---
 Mailman/Cgi/admin.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'Mailman/Cgi')

diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py
index d881241c..f3284e17 100644
--- a/Mailman/Cgi/admin.py
+++ b/Mailman/Cgi/admin.py
@@ -87,7 +87,8 @@ def main():
     cgidata = cgi.FieldStorage(keep_blank_values=1)
 
     # CSRF check
-    safe_params = ['VARHELP', 'adminpw', 'admlogin']
+    safe_params = ['VARHELP', 'adminpw', 'admlogin',
+                   'letter', 'chunk', 'findmember']
     params = cgidata.keys()
     if set(params) - set(safe_params):
         csrf_checked = csrf_check(mlist, cgidata.getvalue('csrf_token'))
-- 
cgit v1.2.3