Merge lp:~ralfjung-e/mailman/csrf-injective into lp:mailman/2.1
Proposed by
Ralf Jung
Status: | Merged |
---|---|
Merged at revision: | 1759 |
Proposed branch: | lp:~ralfjung-e/mailman/csrf-injective |
Merge into: | lp:mailman/2.1 |
Diff against target: |
33 lines (+6/-6) 2 files modified
Mailman/Cgi/listinfo.py (+3/-3) Mailman/Cgi/subscribe.py (+3/-3) |
To merge this branch: | bzr merge lp:~ralfjung-e/mailman/csrf-injective |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Mark Sapiro | Approve | ||
Review via email: mp+347340@code.launchpad.net |
Commit message
Separate data in CSRF token by colon to avoid collisions.
Description of the change
This makes the data-to-token function injective. Previously, for example, the
list called "list1" and the IP "10.0.0.0" would have the same hash as the list
called "list" and the IP "110.0.0.0", as the strings were just concatenated.
To post a comment you must log in.
A couple thoughts:
1) The original code in listinfo.py uses 'now' twice in the token. I wonder if that's necessary.
2) Should use something besides a colon as colons are part of IPv6 addresses?