@@ -68,7 +68,7 @@ def main():
6868 if os .environ .get ('REQUEST_METHOD' ) == 'POST' :
6969 content_length = int (os .environ .get ('CONTENT_LENGTH' , 0 ))
7070 if content_length > 0 :
71- form_data = sys .stdin .read (content_length )
71+ form_data = sys .stdin .buffer . read (content_length ). decode ( 'utf-8' )
7272 cgidata = urllib .parse .parse_qs (form_data , keep_blank_values = True )
7373 else :
7474 cgidata = {}
@@ -111,47 +111,19 @@ def main():
111111 # If the user is not authenticated, we're done.
112112 try :
113113 mailman_log ('debug' , 'Checking authentication' )
114- if os .environ .get ('REQUEST_METHOD' ) == 'POST' :
115- content_length = int (os .environ .get ('CONTENT_LENGTH' , 0 ))
116- if content_length > 0 :
117- form_data = sys .stdin .buffer .read (content_length ).decode ('latin-1' )
118- cgidata = urllib .parse .parse_qs (form_data , keep_blank_values = True )
119- for key in cgidata :
120- cgidata [key ] = [v .decode ('latin-1' ) if isinstance (v , bytes ) else v for v in cgidata [key ]]
121- else :
122- cgidata = {}
114+ # CSRF check
115+ safe_params = ['VARHELP' , 'adminpw' , 'admlogin' ,
116+ 'letter' , 'chunk' , 'findmember' ,
117+ 'legend' ]
118+ params = list (cgidata .keys ())
119+ if set (params ) - set (safe_params ):
120+ csrf_checked = csrf_check (mlist , cgidata .get ('csrf_token' , ['' ])[0 ],
121+ 'admin' )
123122 else :
124- query_string = os .environ .get ('QUERY_STRING' , '' )
125- cgidata = urllib .parse .parse_qs (query_string , keep_blank_values = True )
126- for key in cgidata :
127- cgidata [key ] = [v .decode ('latin-1' ) if isinstance (v , bytes ) else v for v in cgidata [key ]]
128- mailman_log ('debug' , 'cgidata before auth: %s' , str (cgidata ))
129- except Exception as e :
130- doc = Document ()
131- doc .set_language (mm_cfg .DEFAULT_SERVER_LANGUAGE )
132- doc .AddItem (Header (2 , _ ("Error" )))
133- doc .AddItem (Bold (_ ('Invalid options to CGI script.' )))
134- doc .AddItem (Preformatted (Utils .websafe (str (e ))))
135- doc .AddItem (Preformatted (Utils .websafe (traceback .format_exc ())))
136- print ('Status: 400 Bad Request' )
137- print (doc .Format ())
138- mailman_log ('error' , 'admin: Invalid options: %s\n %s' , str (e ), traceback .format_exc ())
139- return
140- # CSRF check
141- safe_params = ['VARHELP' , 'adminpw' , 'admlogin' ,
142- 'letter' , 'chunk' , 'findmember' ,
143- 'legend' ]
144- params = list (cgidata .keys ())
145- if set (params ) - set (safe_params ):
146- csrf_checked = csrf_check (mlist , cgidata .get ('csrf_token' , ['' ])[0 ],
147- 'admin' )
148- else :
149- csrf_checked = True
150- if cgidata .get ('adminpw' , ['' ])[0 ]:
151- os .environ ['HTTP_COOKIE' ] = ''
152- csrf_checked = True
153- try :
154- mailman_log ('debug' , 'Calling WebAuthenticate' )
123+ csrf_checked = True
124+ if cgidata .get ('adminpw' , ['' ])[0 ]:
125+ os .environ ['HTTP_COOKIE' ] = ''
126+ csrf_checked = True
155127 mailman_log ('debug' , 'Authentication contexts: %s' , str ((mm_cfg .AuthListAdmin , mm_cfg .AuthSiteAdmin )))
156128 mailman_log ('debug' , 'Password provided: %s' , 'Yes' if cgidata .get ('adminpw' , ['' ])[0 ] else 'No' )
157129 mailman_log ('debug' , 'Cookie present: %s' , 'Yes' if os .environ .get ('HTTP_COOKIE' ) else 'No' )
0 commit comments