[Mailman-Developers] Re: [ mailman-Patches-674553 ] patch for options.py cross sitescripting bug

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Sun Jan 26 06:38:47 EST 2003


+    if not mlist.isMember(user):
+        if mlist.private_roster:
+            safeuser = _('<em>undisclosed</em>')

This is not a good idea because it will disclose the input email
address is not a member.

-def loginpage(mlist, doc, user, cgidata):
+def loginpage(mlist, doc, user, lang):
     realname = mlist.real_name
     actionurl = mlist.GetScriptURL('options')
     if user is None:
         title = _('%(realname)s list: member options login page')
         extra = _('email address and ')
-        title = _('%(realname)s list: member options for user %(user)s')
+        title = _('%(realname)s list: member options for user %(safeuser)s')

Is the name safeuser passed to loginpage()?

Sorry for including codes, but I have no time to apply the patch. ;-)

SourceForge.net wrote:
> Patches item #674553, was opened at 2003-01-25 07:42
> You can respond by visiting: 
> https://sourceforge.net/tracker/?func=detail&atid=300103&aid=674553&group_id=103


> _______________________________________________
> Mailman-coders mailing list
> Mailman-coders at python.org
> http://mail.python.org/mailman/listinfo/mailman-coders

Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp

More information about the Mailman-Developers mailing list