Ensure private archives stay private during import (CVE-2021-33038) (!351) · Merge requests · GNU Mailman / HyperKitty

legoktm requested to merge legoktm/hyperkitty:private-import into master May 17, 2021

Hyperkitty keeps state of whether a mailing list's archives should be public or private in the hyperkitty_mailinglist table. However during the import process, it would create a row using the default settings (archive_policy="public") instead of getting the correct values from Mailman. It would only sync with Mailman at the end of the import process.

This patch explicitly creates the hyperkitty_mailinglist row/object at the beginning of the import process, so the visiblity will be correctly obtained from Mailman, before any messages can be accidentally leaked.

Closes #380 (closed).

Edited May 18, 2021 by Abhilash Raj

Ensure private archives stay private during import (CVE-2021-33038)

Merge request reports