aboutsummaryrefslogtreecommitdiff
path: root/mail/mailman/files/patch-0-r1885-r1893
diff options
context:
space:
mode:
Diffstat (limited to 'mail/mailman/files/patch-0-r1885-r1893')
-rw-r--r--mail/mailman/files/patch-0-r1885-r1893195
1 files changed, 195 insertions, 0 deletions
diff --git a/mail/mailman/files/patch-0-r1885-r1893 b/mail/mailman/files/patch-0-r1885-r1893
new file mode 100644
index 000000000000..fbcde7e7f206
--- /dev/null
+++ b/mail/mailman/files/patch-0-r1885-r1893
@@ -0,0 +1,195 @@
+This is a patch generated by unpacking
+https://bazaar.launchpad.net/tarball/1885
+https://bazaar.launchpad.net/tarball/1893
+as .tgz tarballs into separate directories and diffing it
+with GNU diff -NEur:
+
+diff -NEur bin/cleanarch bin/cleanarch
+--- bin/cleanarch 2018-06-18 01:47:34.744000000 +0200
++++ bin/cleanarch 2022-01-11 04:08:45.300000000 +0100
+@@ -60,7 +60,7 @@
+ # From RFC 2822, a header field name must contain only characters from 33-126
+ # inclusive, excluding colon. I.e. from oct 41 to oct 176 less oct 072. Must
+ # use re.match() so that it's anchored at the beginning of the line.
+-fre = re.compile(r'[\041-\071\073-\176]+')
++fre = re.compile(r'[\041-\071\073-\176]+:')
+
+
+
+diff -NEur Mailman/Cgi/options.py Mailman/Cgi/options.py
+--- Mailman/Cgi/options.py 2021-11-24 04:38:19.869000000 +0100
++++ Mailman/Cgi/options.py 2023-05-22 21:58:09.582000000 +0200
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
++# Copyright (C) 1998-2023 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -164,13 +164,40 @@
+ loginpage(mlist, doc, None, language)
+ print doc.Format()
+ return
+- # Sanity check the user, but only give the "no such member" error when
+- # using public rosters, otherwise, we'll leak membership information.
++ # Sanity check the user, but we have to give the appropriate error msg
++ # to not potentially leak membership info. This is a kludge here. We
++ # have to check membership here to avoid LP: #1951769, but then we have
++ # to give the appropriate error to avoid LP: #1968443
++ msgc = _('If you are a list member, a confirmation email has been sent.')
++ msgb = _('You already have a subscription pending confirmation')
++ msga = _("""If you are a list member, your unsubscription request has been
++ forwarded to the list administrator for approval.""")
++ msgd = _("""If you are a list member,
++ your password has been emailed to you.""")
+ if not mlist.isMember(user):
+ if mlist.private_roster == 0:
+ doc.addError(_('No such member: %(safeuser)s.'))
+- loginpage(mlist, doc, None, language)
+- print doc.Format()
++ user = None
++ elif cgidata.has_key('login-unsub'):
++ syslog('mischief',
++ 'Unsub attempt of non-member w/ private rosters: %s',
++ user)
++ if mlist.unsubscribe_policy:
++ doc.addError(msga, tag='')
++ else:
++ doc.addError(msgc, tag='')
++ user = None
++ elif cgidata.has_key('login-remind'):
++ syslog('mischief',
++ 'Reminder attempt of non-member w/ private rosters: %s',
++ user)
++ doc.addError(msgd, tag='')
++ user = None
++ # We get here with a non-None user in the case of a non-member with
++ # private rosters. This creates a possible membership leak, but we
++ # fix that a different way. See LP: #2017813.
++ loginpage(mlist, doc, user, language)
++ print doc.Format()
+ return
+
+ # Avoid cross-site scripting attacks
+@@ -204,10 +231,6 @@
+ i18n.set_language(userlang)
+
+ # Are we processing an unsubscription request from the login screen?
+- msgc = _('If you are a list member, a confirmation email has been sent.')
+- msgb = _('You already have a subscription pending confirmation')
+- msga = _("""If you are a list member, your unsubscription request has been
+- forwarded to the list administrator for approval.""")
+ if cgidata.has_key('login-unsub'):
+ # Because they can't supply a password for unsubscribing, we'll need
+ # to do the confirmation dance.
+@@ -233,39 +256,20 @@
+ finally:
+ mlist.Unlock()
+ else:
+- # Not a member
+- if mlist.private_roster == 0:
+- # Public rosters
+- doc.addError(_('No such member: %(safeuser)s.'))
+- else:
+- syslog('mischief',
+- 'Unsub attempt of non-member w/ private rosters: %s',
+- user)
+- if mlist.unsubscribe_policy:
+- doc.addError(msga, tag='')
+- else:
+- doc.addError(msgc, tag='')
++ # Not a member handled above.
++ pass
+ loginpage(mlist, doc, user, language)
+ print doc.Format()
+ return
+
+ # Are we processing a password reminder from the login screen?
+- msg = _("""If you are a list member,
+- your password has been emailed to you.""")
+ if cgidata.has_key('login-remind'):
+ if mlist.isMember(user):
+ mlist.MailUserPassword(user)
+- doc.addError(msg, tag='')
++ doc.addError(msgd, tag='')
+ else:
+- # Not a member
+- if mlist.private_roster == 0:
+- # Public rosters
+- doc.addError(_('No such member: %(safeuser)s.'))
+- else:
+- syslog('mischief',
+- 'Reminder attempt of non-member w/ private rosters: %s',
+- user)
+- doc.addError(msg, tag='')
++ # Not a member handled above.
++ pass
+ loginpage(mlist, doc, user, language)
+ print doc.Format()
+ return
+@@ -293,7 +297,9 @@
+ # to authenticate via cgi (instead of cookie), then print an error
+ # message.
+ if cgidata.has_key('password'):
+- doc.addError(_('Authentication failed.'))
++ if mlist.private_roster == 0:
++ # Only add error with public rosters lp: #2015416
++ doc.addError(_('Authentication failed.'))
+ remote = os.environ.get('HTTP_FORWARDED_FOR',
+ os.environ.get('HTTP_X_FORWARDED_FOR',
+ os.environ.get('REMOTE_ADDR',
+@@ -307,9 +313,11 @@
+ syslog('mischief',
+ 'Login failure with private rosters: %s from %s',
+ user, remote)
+- user = None
++ # Don't clear user here. See LP: #2017813.
+ # give an HTTP 401 for authentication failure
+- print 'Status: 401 Unauthorized'
++ if mlist.private_roster == 0:
++ # Only add error with public rosters lp: #2015416
++ print 'Status: 401 Unauthorized'
+ loginpage(mlist, doc, user, language)
+ print doc.Format()
+ return
+diff -NEur messages/de/LC_MESSAGES/mailman.po messages/de/LC_MESSAGES/mailman.po
+--- messages/de/LC_MESSAGES/mailman.po 2020-06-27 02:12:17.548000000 +0200
++++ messages/de/LC_MESSAGES/mailman.po 2022-03-29 01:55:20.774000000 +0200
+@@ -4577,7 +4577,7 @@
+
+ #: Mailman/Defaults.py:1809
+ msgid "Esperanto"
+-msgstr "Deutsch"
++msgstr "Esperanto"
+
+ # Mailman/Defaults.py:773
+ #: Mailman/Defaults.py:1810
+diff -NEur NEWS NEWS
+--- NEWS 2021-12-13 21:36:11.555000000 +0100
++++ NEWS 2023-05-22 21:58:09.582000000 +0200
+@@ -5,6 +5,26 @@
+
+ Here is a history of user visible changes to Mailman.
+
++2.1.40 (xx-xxx-xxxx)
++
++ i18n
++
++ - The German translation of `Esperanto` is fixed. (LP: #1966685)
++
++ Bug Fixes and other patches
++
++ - Test for a valid header following a Unix From_ line in bin/cleanarch
++ has been improved. (LP: #1957025)
++ - A 500 Internal Server Error when requesting the options page for a
++ non-member address on a list with private rosters is avoided.
++ (LP: #1961762)
++ - A possible list membership leak via the user options CGI is fixed.
++ (LP: #1968443)
++ - Another possible list membership leak via the user options CGI is fixed.
++ (LP: #2015416)
++ - Yet another possible list membership leak via the user options CGI is
++ fixed. (LP: #2017813)
++
+ 2.1.39 (13-Dec-2021)
+
+ Bug Fixes and other patches