Ensure private archives stay private during import (CVE-2021-33038)
hyperkitty keeps state of whether a mailing list's archives should be public or private in the hyperkitty_mailinglist table. However during the import process, it would create a row using the default settings (archive_policy="public") instead of getting the correct values from Mailman. It would only sync with Mailman at the end of the import process. This patch explicitly creates the hyperkitty_mailinglist row/object at the beginning of the import process, so the visiblity will be correctly obtained from Mailman, before any messages can be accidentally leaked. Closes #380.
Showing with 15 additions and 1 deletion