admin interface CSRF check fails if listname contains '+'

Bug #1190802 reported by Mark Sapiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
High
Mark Sapiro

Bug Description

The hardening of the web admin interface against CSRF attacks which was introduced in Mailman 2.1.15 did not take into account listnames that contain a '+' character and confuses it with a derlimiter causing the check to fail.

Related branches

Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
milestone: 2.1.16 → 2.1.16rc1
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers