request forgery check displayed when only viewing admin pages
Bug #1160647 reported by
Phil Sutter
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Low
|
Mark Sapiro |
Bug Description
CSRf checking in admin.py is buggy. Logging into the admin interface succeeds fine, but when clicking any of the links on the page top, the request forgery error message is displayed on the resulting page.
The problem is basically that Cgi/admin.py is called with only a single param in cgidata, namely 'admin' (which is empty). Since this param is not part of the safe_params list, csrf_check() is called with 'None' as second parameter.
Since submitting forms is working fine, this bug is merely a cosmetic one but still very confusing.
Related branches
Changed in mailman: | |
importance: | Undecided → Low |
milestone: | none → 2.1.16 |
status: | Incomplete → Fix Committed |
Changed in mailman: | |
milestone: | 2.1.16 → 2.1.16rc1 |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
It works for me. What Mailman version is this? How was it installed. What browser are you using? What do the actual Links look like?
In my case, a URL like http:// www.example. com/mailman/ admin/list/ privacy/ sender or http:// www.example. com/mailman/ admin/list/ passwords produces a FieldStorage instance which is empty, i.e. cgidata.keys() is an empty list.