Description: CVE-2016-6893: CSRF protection needs to be extended to the user options page
Author: Mark Sapiro <mark@msapiro.net>
Last-Update: 2016-09-15
diff -Nur mailman-2.1.18.orig/Mailman/Cgi/admindb.py mailman-2.1.18/Mailman/Cgi/admindb.py
--- mailman-2.1.20.orig/Mailman/Cgi/admindb.py 2014-05-03 19:37:22.000000000 +0200
+++ mailman-2.1.20/Mailman/Cgi/admindb.py 2016-09-15 07:55:04.308506251 +0200
@@ -39,6 +39,7 @@
from Mailman.Cgi import Auth
from Mailman.htmlformat import *
from Mailman.Logging.Syslog import syslog
+from Mailman.CSRFcheck import csrf_check
EMPTYSTRING = ''
NL = '\n'
@@ -58,6 +59,9 @@
else:
ssort = SSENDER
+AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
+ mm_cfg.AuthListModerator)
+
�
def helds_by_skey(mlist, ssort=SSENDER):
diff -Nur mailman-2.1.18.orig/Mailman/Cgi/edithtml.py mailman-2.1.18/Mailman/Cgi/edithtml.py
--- mailman-2.1.20.orig/Mailman/Cgi/edithtml.py 2014-05-03 19:37:22.000000000 +0200
+++ mailman-2.1.20/Mailman/Cgi/edithtml.py 2016-09-15 07:55:04.308506251 +0200
@@ -30,9 +30,12 @@
from Mailman.Cgi import Auth
from Mailman.Logging.Syslog import syslog
from Mailman import i18n
+from Mailman.CSRFcheck import csrf_check
_ = i18n._
+AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin)
+
�
def main():
diff -Nur mailman-2.1.18.orig/Mailman/Cgi/options.py mailman-2.1.18/Mailman/Cgi/options.py
--- mailman-2.1.20.orig/Mailman/Cgi/options.py 2014-05-03 19:37:22.000000000 +0200
+++ mailman-2.1.20/Mailman/Cgi/options.py 2016-09-15 07:55:04.308506251 +0200
@@ -32,6 +32,7 @@
from Mailman import i18n
from Mailman.htmlformat import *
from Mailman.Logging.Syslog import syslog
+from Mailman.CSRFcheck import csrf_check
OR = '|'
SLASH = '/'
@@ -47,6 +48,8 @@
True = 1
False = 0
+AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
+ mm_cfg.AuthListModerator, mm_cfg.AuthUser)
�
def main():
diff -Nur mailman-2.1.18.orig/Mailman/htmlformat.py mailman-2.1.18/Mailman/htmlformat.py
--- mailman-2.1.20.orig/Mailman/htmlformat.py 2016-09-15 07:54:30.000000000 +0200
+++ mailman-2.1.20/Mailman/htmlformat.py 2016-09-15 07:55:04.308506251 +0200
@@ -407,13 +407,14 @@
class Form(Container):
def __init__(self, action='', method='POST', encoding=None,
- mlist=None, contexts=None, *items):
+ mlist=None, contexts=None, user=None, *items):
apply(Container.__init__, (self,) + items)
self.action = action
self.method = method
self.encoding = encoding
self.mlist = mlist
self.contexts = contexts
+ self.user = user
def set_action(self, action):
self.action = action
@@ -428,7 +429,7 @@
if self.mlist:
output = output + \
'<input type="hidden" name="csrf_token" value="%s">\n' \
- % csrf_token(self.mlist, self.contexts)
+ % csrf_token(self.mlist, self.contexts, self.user)
output = output + Container.Format(self, indent+2)
output = '%s\n%s</FORM>\n' % (output, spaces)
return output
diff -Nur mailman-2.1.18.orig/Mailman/HTMLFormatter.py mailman-2.1.18/Mailman/HTMLFormatter.py
--- mailman-2.1.20.orig/Mailman/HTMLFormatter.py 2014-05-03 19:37:22.000000000 +0200
+++ mailman-2.1.20/Mailman/HTMLFormatter.py 2016-09-15 07:55:04.308506251 +0200
@@ -28,6 +28,8 @@
from Mailman.i18n import _
+from Mailman.CSRFcheck import csrf_token
+
EMPTYSTRING = ''
BR = '<br>'
@@ -317,12 +319,17 @@
container.AddItem("</center>")
return container
- def FormatFormStart(self, name, extra=''):
+ def FormatFormStart(self, name, extra='',
+ mlist=None, contexts=None, user=None):
base_url = self.GetScriptURL(name)
if extra:
full_url = "%s/%s" % (base_url, extra)
else:
full_url = base_url
+ if mlist:
+ return ("""<form method="POST" action="%s">
+<input type="hidden" name="csrf_token" value="%s">"""
+ % (full_url, csrf_token(mlist, contexts, user)))
return ('<FORM Method=POST ACTION="%s">' % full_url)
def FormatArchiveAnchor(self):
