From: Jonas Meurer Date: Fri, 28 May 2021 13:36:54 +0200 Subject: Ensure private archives stay private during import (CVE-2021-33038) hyperkitty keeps state of whether a mailing list's archives should be public or private in the hyperkitty_mailinglist table. However during the import process, it would create a row using the default settings (archive_policy="public") instead of getting the correct values from Mailman. It would only sync with Mailman at the end of the import process. This patch explicitly creates the hyperkitty_mailinglist row/object at the beginning of the import process, so the visiblity will be correctly obtained from Mailman, before any messages can be accidentally leaked. Origin: upstream, https://gitlab.com/mailman/hyperkitty/-/merge_requests/351 Bug: https://gitlab.com/mailman/hyperkitty/-/issues/380 Bug-Debian: http://bugs.debian.org/989183 --- hyperkitty/management/commands/hyperkitty_import.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py index 5277dcd..a547712 100644 --- a/hyperkitty/management/commands/hyperkitty_import.py +++ b/hyperkitty/management/commands/hyperkitty_import.py @@ -45,7 +45,7 @@ from hyperkitty.lib.mailman import sync_with_mailman from hyperkitty.lib.analysis import compute_thread_order_and_depth from hyperkitty.lib.utils import get_message_id from hyperkitty.management.utils import setup_logging -from hyperkitty.models import Email, Thread +from hyperkitty.models import Email, MailingList, Thread TEXTWRAP_RE = re.compile(r"\n\s*") @@ -278,6 +278,11 @@ class Command(BaseCommand): # if (settings.DATABASES["default"]["ENGINE"] # != "django.db.backends.sqlite3": # transaction.set_autocommit(False) + # Sync list settings with Mailman before importing messages: + if not options["no_sync_mailman"]: + mlist = MailingList.objects.get_or_create(name=list_address)[0] + mlist.update_from_mailman() + mlist.save() settings.HYPERKITTY_BATCH_MODE = True # Only import emails newer than the latest email in the DB latest_email_date = Email.objects.filter(