sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-05-04 07:27:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
ports/mail/mailman/files/patch-0-r1885-r1893
Matthias Andree 4854dd90a1 mail/mailman: pull in the post-2.1.39 fixes upstream... 
by diffing revisions 1885 (2.1.39) against 1893 in the upstream repo

While here, drop USES=autoreconf, which we no longer need, and
which triggers warnings from autoconf because the configure.in was
developed for an older autoconf version.

Bump PORTREVISION to 2.
2023-11-08 20:42:12 +01:00

195 lines
7.9 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This is a patch generated by unpacking
https://bazaar.launchpad.net/tarball/1885
https://bazaar.launchpad.net/tarball/1893
as .tgz tarballs into separate directories and diffing it
with GNU diff -NEur:
diff -NEur bin/cleanarch bin/cleanarch
--- bin/cleanarch 2018-06-18 01:47:34.744000000 +0200
+++ bin/cleanarch 2022-01-11 04:08:45.300000000 +0100
@@ -60,7 +60,7 @@
# From RFC 2822, a header field name must contain only characters from 33-126
# inclusive, excluding colon. I.e. from oct 41 to oct 176 less oct 072. Must
# use re.match() so that it's anchored at the beginning of the line.
-fre = re.compile(r'[\041-\071\073-\176]+')
+fre = re.compile(r'[\041-\071\073-\176]+:')
diff -NEur Mailman/Cgi/options.py Mailman/Cgi/options.py
--- Mailman/Cgi/options.py 2021-11-24 04:38:19.869000000 +0100
+++ Mailman/Cgi/options.py 2023-05-22 21:58:09.582000000 +0200
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2023 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -164,13 +164,40 @@
loginpage(mlist, doc, None, language)
print doc.Format()
return
- # Sanity check the user, but only give the "no such member" error when
- # using public rosters, otherwise, we'll leak membership information.
+ # Sanity check the user, but we have to give the appropriate error msg
+ # to not potentially leak membership info. This is a kludge here. We
+ # have to check membership here to avoid LP: #1951769, but then we have
+ # to give the appropriate error to avoid LP: #1968443
+ msgc = _('If you are a list member, a confirmation email has been sent.')
+ msgb = _('You already have a subscription pending confirmation')
+ msga = _("""If you are a list member, your unsubscription request has been
+ forwarded to the list administrator for approval.""")
+ msgd = _("""If you are a list member,
+ your password has been emailed to you.""")
if not mlist.isMember(user):
if mlist.private_roster == 0:
doc.addError(_('No such member: %(safeuser)s.'))
- loginpage(mlist, doc, None, language)
- print doc.Format()
+ user = None
+ elif cgidata.has_key('login-unsub'):
+ syslog('mischief',
+ 'Unsub attempt of non-member w/ private rosters: %s',
+ user)
+ if mlist.unsubscribe_policy:
+ doc.addError(msga, tag='')
+ else:
+ doc.addError(msgc, tag='')
+ user = None
+ elif cgidata.has_key('login-remind'):
+ syslog('mischief',
+ 'Reminder attempt of non-member w/ private rosters: %s',
+ user)
+ doc.addError(msgd, tag='')
+ user = None
+ # We get here with a non-None user in the case of a non-member with
+ # private rosters. This creates a possible membership leak, but we
+ # fix that a different way. See LP: #2017813.
+ loginpage(mlist, doc, user, language)
+ print doc.Format()
return
# Avoid cross-site scripting attacks
@@ -204,10 +231,6 @@
i18n.set_language(userlang)
# Are we processing an unsubscription request from the login screen?
- msgc = _('If you are a list member, a confirmation email has been sent.')
- msgb = _('You already have a subscription pending confirmation')
- msga = _("""If you are a list member, your unsubscription request has been
- forwarded to the list administrator for approval.""")
if cgidata.has_key('login-unsub'):
# Because they can't supply a password for unsubscribing, we'll need
# to do the confirmation dance.
@@ -233,39 +256,20 @@
finally:
mlist.Unlock()
else:
- # Not a member
- if mlist.private_roster == 0:
- # Public rosters
- doc.addError(_('No such member: %(safeuser)s.'))
- else:
- syslog('mischief',
- 'Unsub attempt of non-member w/ private rosters: %s',
- user)
- if mlist.unsubscribe_policy:
- doc.addError(msga, tag='')
- else:
- doc.addError(msgc, tag='')
+ # Not a member handled above.
+ pass
loginpage(mlist, doc, user, language)
print doc.Format()
return
# Are we processing a password reminder from the login screen?
- msg = _("""If you are a list member,
- your password has been emailed to you.""")
if cgidata.has_key('login-remind'):
if mlist.isMember(user):
mlist.MailUserPassword(user)
- doc.addError(msg, tag='')
+ doc.addError(msgd, tag='')
else:
- # Not a member
- if mlist.private_roster == 0:
- # Public rosters
- doc.addError(_('No such member: %(safeuser)s.'))
- else:
- syslog('mischief',
- 'Reminder attempt of non-member w/ private rosters: %s',
- user)
- doc.addError(msg, tag='')
+ # Not a member handled above.
+ pass
loginpage(mlist, doc, user, language)
print doc.Format()
return
@@ -293,7 +297,9 @@
# to authenticate via cgi (instead of cookie), then print an error
# message.
if cgidata.has_key('password'):
- doc.addError(_('Authentication failed.'))
+ if mlist.private_roster == 0:
+ # Only add error with public rosters lp: #2015416
+ doc.addError(_('Authentication failed.'))
remote = os.environ.get('HTTP_FORWARDED_FOR',
os.environ.get('HTTP_X_FORWARDED_FOR',
os.environ.get('REMOTE_ADDR',
@@ -307,9 +313,11 @@
syslog('mischief',
'Login failure with private rosters: %s from %s',
user, remote)
- user = None
+ # Don't clear user here. See LP: #2017813.
# give an HTTP 401 for authentication failure
- print 'Status: 401 Unauthorized'
+ if mlist.private_roster == 0:
+ # Only add error with public rosters lp: #2015416
+ print 'Status: 401 Unauthorized'
loginpage(mlist, doc, user, language)
print doc.Format()
return
diff -NEur messages/de/LC_MESSAGES/mailman.po messages/de/LC_MESSAGES/mailman.po
--- messages/de/LC_MESSAGES/mailman.po 2020-06-27 02:12:17.548000000 +0200
+++ messages/de/LC_MESSAGES/mailman.po 2022-03-29 01:55:20.774000000 +0200
@@ -4577,7 +4577,7 @@
#: Mailman/Defaults.py:1809
msgid "Esperanto"
-msgstr "Deutsch"
+msgstr "Esperanto"
# Mailman/Defaults.py:773
#: Mailman/Defaults.py:1810
diff -NEur NEWS NEWS
--- NEWS 2021-12-13 21:36:11.555000000 +0100
+++ NEWS 2023-05-22 21:58:09.582000000 +0200
@@ -5,6 +5,26 @@
Here is a history of user visible changes to Mailman.
+2.1.40 (xx-xxx-xxxx)
+
+ i18n
+
+ - The German translation of `Esperanto` is fixed. (LP: #1966685)
+
+ Bug Fixes and other patches
+
+ - Test for a valid header following a Unix From_ line in bin/cleanarch
+ has been improved. (LP: #1957025)
+ - A 500 Internal Server Error when requesting the options page for a
+ non-member address on a list with private rosters is avoided.
+ (LP: #1961762)
+ - A possible list membership leak via the user options CGI is fixed.
+ (LP: #1968443)
+ - Another possible list membership leak via the user options CGI is fixed.
+ (LP: #2015416)
+ - Yet another possible list membership leak via the user options CGI is
+ fixed. (LP: #2017813)
+
2.1.39 (13-Dec-2021)
Bug Fixes and other patches
Reference in a new issue View git blame Copy permalink