[Mailman-Developers] Bug in current authentication
Dan Mick
Dan Mick <dmick@utopia.West.Sun.COM>
Wed, 27 Feb 2002 17:26:25 -0800 (PST)
A non-member can visit the listinfo page, enter an email address,
and get sent to a "member options" page...but there are no options,
really, for him to deal with.
He can also hit the "Password reminder" button once he gets there,
and get a response that a password is being mailed...but of course
that can't happen, since he's not a member.
options.py has this code:
# Sanity check the user, but be careful about leaking membership
# information when we're using private rosters.
if not mlist.isMember(user) and mlist.private_roster == 0:
# Avoid cross-site scripting attacks
safeuser = cgi.escape(user)
add_error_message(doc, _('No such member: %(safeuser)s.'))
loginpage(mlist, doc, None, cgidata)
print doc.Format()
return
but that misses the case of
if not mlist.isMember(user) and mlist.private_roster == 1:
which is my case. Why is that second check there?