Description: CVE-2016-6893: CSRF protection needs to be extended to the user options page Author: Mark Sapiro <mark@msapiro.net> Last-Update: 2016-09-15 diff -Nur mailman-2.1.18.orig/Mailman/Cgi/admindb.py mailman-2.1.18/Mailman/Cgi/admindb.py --- mailman-2.1.20.orig/Mailman/Cgi/admindb.py 2014-05-03 19:37:22.000000000 +0200 +++ mailman-2.1.20/Mailman/Cgi/admindb.py 2016-09-15 07:55:04.308506251 +0200 @@ -39,6 +39,7 @@ from Mailman.Cgi import Auth from Mailman.htmlformat import * from Mailman.Logging.Syslog import syslog +from Mailman.CSRFcheck import csrf_check EMPTYSTRING = '' NL = '\n' @@ -58,6 +59,9 @@ else: ssort = SSENDER +AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin, + mm_cfg.AuthListModerator) + def helds_by_skey(mlist, ssort=SSENDER): diff -Nur mailman-2.1.18.orig/Mailman/Cgi/edithtml.py mailman-2.1.18/Mailman/Cgi/edithtml.py --- mailman-2.1.20.orig/Mailman/Cgi/edithtml.py 2014-05-03 19:37:22.000000000 +0200 +++ mailman-2.1.20/Mailman/Cgi/edithtml.py 2016-09-15 07:55:04.308506251 +0200 @@ -30,9 +30,12 @@ from Mailman.Cgi import Auth from Mailman.Logging.Syslog import syslog from Mailman import i18n +from Mailman.CSRFcheck import csrf_check _ = i18n._ +AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin) + def main(): diff -Nur mailman-2.1.18.orig/Mailman/Cgi/options.py mailman-2.1.18/Mailman/Cgi/options.py --- mailman-2.1.20.orig/Mailman/Cgi/options.py 2014-05-03 19:37:22.000000000 +0200 +++ mailman-2.1.20/Mailman/Cgi/options.py 2016-09-15 07:55:04.308506251 +0200 @@ -32,6 +32,7 @@ from Mailman import i18n from Mailman.htmlformat import * from Mailman.Logging.Syslog import syslog +from Mailman.CSRFcheck import csrf_check OR = '|' SLASH = '/' @@ -47,6 +48,8 @@ True = 1 False = 0 +AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin, + mm_cfg.AuthListModerator, mm_cfg.AuthUser) def main(): diff -Nur mailman-2.1.18.orig/Mailman/htmlformat.py mailman-2.1.18/Mailman/htmlformat.py --- mailman-2.1.20.orig/Mailman/htmlformat.py 2016-09-15 07:54:30.000000000 +0200 +++ mailman-2.1.20/Mailman/htmlformat.py 2016-09-15 07:55:04.308506251 +0200 @@ -407,13 +407,14 @@ class Form(Container): def __init__(self, action='', method='POST', encoding=None, - mlist=None, contexts=None, *items): + mlist=None, contexts=None, user=None, *items): apply(Container.__init__, (self,) + items) self.action = action self.method = method self.encoding = encoding self.mlist = mlist self.contexts = contexts + self.user = user def set_action(self, action): self.action = action @@ -428,7 +429,7 @@ if self.mlist: output = output + \ '<input type="hidden" name="csrf_token" value="%s">\n' \ - % csrf_token(self.mlist, self.contexts) + % csrf_token(self.mlist, self.contexts, self.user) output = output + Container.Format(self, indent+2) output = '%s\n%s</FORM>\n' % (output, spaces) return output diff -Nur mailman-2.1.18.orig/Mailman/HTMLFormatter.py mailman-2.1.18/Mailman/HTMLFormatter.py --- mailman-2.1.20.orig/Mailman/HTMLFormatter.py 2014-05-03 19:37:22.000000000 +0200 +++ mailman-2.1.20/Mailman/HTMLFormatter.py 2016-09-15 07:55:04.308506251 +0200 @@ -28,6 +28,8 @@ from Mailman.i18n import _ +from Mailman.CSRFcheck import csrf_token + EMPTYSTRING = '' BR = '<br>' @@ -317,12 +319,17 @@ container.AddItem("</center>") return container - def FormatFormStart(self, name, extra=''): + def FormatFormStart(self, name, extra='', + mlist=None, contexts=None, user=None): base_url = self.GetScriptURL(name) if extra: full_url = "%s/%s" % (base_url, extra) else: full_url = base_url + if mlist: + return ("""<form method="POST" action="%s"> +<input type="hidden" name="csrf_token" value="%s">""" + % (full_url, csrf_token(mlist, contexts, user))) return ('<FORM Method=POST ACTION="%s">' % full_url) def FormatArchiveAnchor(self):