mailman/mailman-2.1.29-options_content_njection.patch

23 lines
973 B
Diff

=== modified file 'Mailman/Cgi/private.py'
--- Mailman/Cgi/private.py 2019-03-06 17:48:32 +0000
+++ Mailman/Cgi/private.py 2020-05-07 13:53:40 +0000
@@ -162,13 +162,9 @@
if mlist.isMember(username):
mlist.MailUserPassword(username)
elif username:
- # Not a member
- if mlist.private_roster == 0:
- # Public rosters
- safeuser = Utils.websafe(username)
- message = Bold(FontSize('+1',
- _('No such member: %(safeuser)s.'))).Format()
- else:
+ # Not a member. Don't report address in any case. It leads to
+ # Content injection. Just log if roster is not public.
+ if mlist.private_roster != 0:
syslog('mischief',
'Reminder attempt of non-member w/ private rosters: %s',
username)