[Mailman-Developers] Bug in current authentication

Dan Mick Dan Mick <dmick@utopia.West.Sun.COM>
Wed, 27 Feb 2002 17:26:25 -0800 (PST)

A non-member can visit the listinfo page, enter an email address,
and get sent to a "member options" page...but there are no options,
really, for him to deal with.

He can also hit the "Password reminder" button once he gets there,
and get a response that a password is being mailed...but of course
that can't happen, since he's not a member.

options.py has this code:

    # Sanity check the user, but be careful about leaking membership
    # information when we're using private rosters.
    if not mlist.isMember(user) and mlist.private_roster == 0:
        # Avoid cross-site scripting attacks
        safeuser = cgi.escape(user)
        add_error_message(doc, _('No such member: %(safeuser)s.'))
        loginpage(mlist, doc, None, cgidata)
        print doc.Format()

but that misses the case of

    if not mlist.isMember(user) and mlist.private_roster == 1:
which is my case.  Why is that second check there?