Skip to content

Ensure private archives stay private during import (CVE-2021-33038)

legoktm requested to merge legoktm/hyperkitty:private-import into master

Hyperkitty keeps state of whether a mailing list's archives should be public or private in the hyperkitty_mailinglist table. However during the import process, it would create a row using the default settings (archive_policy="public") instead of getting the correct values from Mailman. It would only sync with Mailman at the end of the import process.

This patch explicitly creates the hyperkitty_mailinglist row/object at the beginning of the import process, so the visiblity will be correctly obtained from Mailman, before any messages can be accidentally leaked.

Closes #380 (closed).

Edited by Abhilash Raj

Merge request reports