git: 4854dd90a199 - main - mail/mailman: pull in the post-2.1.39 fixes upstream...

From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Wed, 08 Nov 2023 19:42:14 UTC
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4854dd90a199107cd6a94da257131e09927de3c5

commit 4854dd90a199107cd6a94da257131e09927de3c5
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2023-11-08 19:40:22 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-11-08 19:42:12 +0000

    mail/mailman: pull in the post-2.1.39 fixes upstream...
    
    by diffing revisions 1885 (2.1.39) against 1893 in the upstream repo
    
    While here, drop USES=autoreconf, which we no longer need, and
    which triggers warnings from autoconf because the configure.in was
    developed for an older autoconf version.
    
    Bump PORTREVISION to 2.
---
 mail/mailman/Makefile                  |   4 +-
 mail/mailman/files/patch-0-r1885-r1893 | 195 +++++++++++++++++++++++++++++++++
 2 files changed, 197 insertions(+), 2 deletions(-)

diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 65c8df3f485a..ecf88cdd7569 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	mailman
 DISTVERSION=	2.1.39
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	mail
 MASTER_SITES=	GNU \
 		SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \
@@ -17,7 +17,7 @@ WWW=		https://www.list.org/
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/gnu-COPYING-GPL
 
-USES=		autoreconf cpe fakeroot python:2.7 shebangfix tar:tgz
+USES=		cpe fakeroot python:2.7 shebangfix tar:tgz
 CPE_VENDOR=	gnu
 
 USE_RC_SUBR=	mailman
diff --git a/mail/mailman/files/patch-0-r1885-r1893 b/mail/mailman/files/patch-0-r1885-r1893
new file mode 100644
index 000000000000..fbcde7e7f206
--- /dev/null
+++ b/mail/mailman/files/patch-0-r1885-r1893
@@ -0,0 +1,195 @@
+This is a patch generated by unpacking
+https://bazaar.launchpad.net/tarball/1885
+https://bazaar.launchpad.net/tarball/1893
+as .tgz tarballs into separate directories and diffing it
+with GNU diff -NEur:
+
+diff -NEur bin/cleanarch bin/cleanarch
+--- bin/cleanarch	2018-06-18 01:47:34.744000000 +0200
++++ bin/cleanarch	2022-01-11 04:08:45.300000000 +0100
+@@ -60,7 +60,7 @@
+ # From RFC 2822, a header field name must contain only characters from 33-126
+ # inclusive, excluding colon.  I.e. from oct 41 to oct 176 less oct 072.  Must
+ # use re.match() so that it's anchored at the beginning of the line.
+-fre = re.compile(r'[\041-\071\073-\176]+')
++fre = re.compile(r'[\041-\071\073-\176]+:')
+ 
+ 
+ 
+diff -NEur Mailman/Cgi/options.py Mailman/Cgi/options.py
+--- Mailman/Cgi/options.py	2021-11-24 04:38:19.869000000 +0100
++++ Mailman/Cgi/options.py	2023-05-22 21:58:09.582000000 +0200
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
++# Copyright (C) 1998-2023 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -164,13 +164,40 @@
+         loginpage(mlist, doc, None, language)
+         print doc.Format()
+         return
+-    # Sanity check the user, but only give the "no such member" error when
+-    # using public rosters, otherwise, we'll leak membership information.
++    # Sanity check the user, but we have to give the appropriate error msg
++    # to not potentially leak membership info. This is a kludge here. We
++    # have to check membership here to avoid LP: #1951769, but then we have
++    # to give the appropriate error to avoid LP: #1968443
++    msgc = _('If you are a list member, a confirmation email has been sent.')
++    msgb = _('You already have a subscription pending confirmation')
++    msga = _("""If you are a list member, your unsubscription request has been
++             forwarded to the list administrator for approval.""")
++    msgd = _("""If you are a list member,
++            your password has been emailed to you.""")
+     if not mlist.isMember(user):
+         if mlist.private_roster == 0:
+             doc.addError(_('No such member: %(safeuser)s.'))
+-            loginpage(mlist, doc, None, language)
+-            print doc.Format()
++            user = None
++        elif cgidata.has_key('login-unsub'):
++            syslog('mischief',
++                   'Unsub attempt of non-member w/ private rosters: %s',
++                   user)
++            if mlist.unsubscribe_policy:
++                doc.addError(msga, tag='')
++            else:
++                doc.addError(msgc, tag='')
++            user = None
++        elif cgidata.has_key('login-remind'):
++            syslog('mischief',
++                   'Reminder attempt of non-member w/ private rosters: %s',
++                   user)
++            doc.addError(msgd, tag='')
++            user = None
++        # We get here with a non-None user in the case of a non-member with
++        # private rosters.  This creates a possible membership leak, but we
++        # fix that a different way. See LP: #2017813.
++        loginpage(mlist, doc, user, language)
++        print doc.Format()
+         return
+ 
+     # Avoid cross-site scripting attacks
+@@ -204,10 +231,6 @@
+     i18n.set_language(userlang)
+ 
+     # Are we processing an unsubscription request from the login screen?
+-    msgc = _('If you are a list member, a confirmation email has been sent.')
+-    msgb = _('You already have a subscription pending confirmation')
+-    msga = _("""If you are a list member, your unsubscription request has been
+-             forwarded to the list administrator for approval.""")
+     if cgidata.has_key('login-unsub'):
+         # Because they can't supply a password for unsubscribing, we'll need
+         # to do the confirmation dance.
+@@ -233,39 +256,20 @@
+             finally:
+                 mlist.Unlock()
+         else:
+-            # Not a member
+-            if mlist.private_roster == 0:
+-                # Public rosters
+-                doc.addError(_('No such member: %(safeuser)s.'))
+-            else:
+-                syslog('mischief',
+-                       'Unsub attempt of non-member w/ private rosters: %s',
+-                       user)
+-                if mlist.unsubscribe_policy:
+-                    doc.addError(msga, tag='')
+-                else:
+-                    doc.addError(msgc, tag='')
++            # Not a member handled above.
++            pass
+         loginpage(mlist, doc, user, language)
+         print doc.Format()
+         return
+ 
+     # Are we processing a password reminder from the login screen?
+-    msg = _("""If you are a list member,
+-            your password has been emailed to you.""")
+     if cgidata.has_key('login-remind'):
+         if mlist.isMember(user):
+             mlist.MailUserPassword(user)
+-            doc.addError(msg, tag='')
++            doc.addError(msgd, tag='')
+         else:
+-            # Not a member
+-            if mlist.private_roster == 0:
+-                # Public rosters
+-                doc.addError(_('No such member: %(safeuser)s.'))
+-            else:
+-                syslog('mischief',
+-                       'Reminder attempt of non-member w/ private rosters: %s',
+-                       user)
+-                doc.addError(msg, tag='')
++            # Not a member handled above.
++            pass
+         loginpage(mlist, doc, user, language)
+         print doc.Format()
+         return
+@@ -293,7 +297,9 @@
+         # to authenticate via cgi (instead of cookie), then print an error
+         # message.
+         if cgidata.has_key('password'):
+-            doc.addError(_('Authentication failed.'))
++            if mlist.private_roster == 0:
++                # Only add error with public rosters lp: #2015416
++                doc.addError(_('Authentication failed.'))
+             remote = os.environ.get('HTTP_FORWARDED_FOR',
+                      os.environ.get('HTTP_X_FORWARDED_FOR',
+                      os.environ.get('REMOTE_ADDR',
+@@ -307,9 +313,11 @@
+                 syslog('mischief',
+                        'Login failure with private rosters: %s from %s',
+                        user, remote)
+-                user = None
++                # Don't clear user here. See LP: #2017813.
+             # give an HTTP 401 for authentication failure
+-            print 'Status: 401 Unauthorized'
++            if mlist.private_roster == 0:
++                # Only add error with public rosters lp: #2015416
++                print 'Status: 401 Unauthorized'
+         loginpage(mlist, doc, user, language)
+         print doc.Format()
+         return
+diff -NEur messages/de/LC_MESSAGES/mailman.po messages/de/LC_MESSAGES/mailman.po
+--- messages/de/LC_MESSAGES/mailman.po	2020-06-27 02:12:17.548000000 +0200
++++ messages/de/LC_MESSAGES/mailman.po	2022-03-29 01:55:20.774000000 +0200
+@@ -4577,7 +4577,7 @@
+ 
+ #: Mailman/Defaults.py:1809
+ msgid "Esperanto"
+-msgstr "Deutsch"
++msgstr "Esperanto"
+ 
+ # Mailman/Defaults.py:773
+ #: Mailman/Defaults.py:1810
+diff -NEur NEWS NEWS
+--- NEWS	2021-12-13 21:36:11.555000000 +0100
++++ NEWS	2023-05-22 21:58:09.582000000 +0200
+@@ -5,6 +5,26 @@
+ 
+ Here is a history of user visible changes to Mailman.
+ 
++2.1.40 (xx-xxx-xxxx)
++
++  i18n
++
++    - The German translation of `Esperanto` is fixed.  (LP: #1966685)
++
++  Bug Fixes and other patches
++
++    - Test for a valid header following a Unix From_ line in bin/cleanarch
++      has been improved.  (LP: #1957025)
++    - A 500 Internal Server Error when requesting the options page for a
++      non-member address on a list with private rosters is avoided.
++      (LP: #1961762)
++    - A possible list membership leak via the user options CGI is fixed.
++      (LP: #1968443)
++    - Another possible list membership leak via the user options CGI is fixed.
++      (LP: #2015416)
++    - Yet another possible list membership leak via the user options CGI is
++      fixed.  (LP: #2017813)
++
+ 2.1.39 (13-Dec-2021)
+ 
+   Bug Fixes and other patches