CSRF check for user tokens should not be case sensitive.
Bug #1954694 reported by
Mark Sapiro
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Medium
|
Unassigned |
Bug Description
The fix for CVE-2021-42097 requires that the user submitting a user options form match the user in the CSRF token submitted with the form, but the match is case sensitive and should not be.
There is also a potential NameError exception in logging a mismatch.
Related branches
description: | updated |
Changed in mailman: | |
status: | In Progress → Fix Released |
Changed in mailman: | |
assignee: | Mark Sapiro (msapiro) → Ant Phyo Hlyand Tun (antphyo) |
Changed in mailman: | |
assignee: | Ant Phyo Hlyand Tun (antphyo) → nobody |
To post a comment you must log in.