• legoktm's avatar
    Ensure private archives stay private during import (CVE-2021-33038) · 90253245
    legoktm authored
    hyperkitty keeps state of whether a mailing list's archives should be
    public or private in the hyperkitty_mailinglist table. However during
    the import process, it would create a row using the default settings
    (archive_policy="public") instead of getting the correct values from
    Mailman. It would only sync with Mailman at the end of the import
    process.
    
    This patch explicitly creates the hyperkitty_mailinglist row/object at
    the beginning of the import process, so the visiblity will be correctly
    obtained from Mailman, before any messages can be accidentally leaked.
    
    Closes #380.
    90253245
To find the state of this project's repository at the time of any of these versions, check out the tags..
news.rst 10.4 KB