[Mailman-Developers]
Re: [ mailman-Patches-674553 ] patch for options.py cross sitescripting
bug
Tokio Kikuchi
tkikuchi at is.kochi-u.ac.jp
Sun Jan 26 06:38:47 EST 2003
Barry,
+ if not mlist.isMember(user):
+ if mlist.private_roster:
+ safeuser = _('<em>undisclosed</em>')
This is not a good idea because it will disclose the input email
address is not a member.
-def loginpage(mlist, doc, user, cgidata):
+def loginpage(mlist, doc, user, lang):
realname = mlist.real_name
actionurl = mlist.GetScriptURL('options')
if user is None:
title = _('%(realname)s list: member options login page')
extra = _('email address and ')
else:
- title = _('%(realname)s list: member options for user %(user)s')
+ title = _('%(realname)s list: member options for user %(safeuser)s')
Is the name safeuser passed to loginpage()?
Sorry for including codes, but I have no time to apply the patch. ;-)
SourceForge.net wrote:
> Patches item #674553, was opened at 2003-01-25 07:42
> You can respond by visiting:
> https://sourceforge.net/tracker/?func=detail&atid=300103&aid=674553&group_id=103
>
(snip)
> _______________________________________________
> Mailman-coders mailing list
> Mailman-coders at python.org
> http://mail.python.org/mailman/listinfo/mailman-coders
>
>
--
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/
More information about the Mailman-Developers
mailing list