Skip to content
Commit 90253245 authored by legoktm's avatar legoktm
Browse files

Ensure private archives stay private during import (CVE-2021-33038)

hyperkitty keeps state of whether a mailing list's archives should be
public or private in the hyperkitty_mailinglist table. However during
the import process, it would create a row using the default settings
(archive_policy="public") instead of getting the correct values from
Mailman. It would only sync with Mailman at the end of the import
process.

This patch explicitly creates the hyperkitty_mailinglist row/object at
the beginning of the import process, so the visiblity will be correctly
obtained from Mailman, before any messages can be accidentally leaked.

Closes #380.
parent 344c4ba9
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment