From: Jonas Meurer <jonas@freesources.org>
Date: Thu, 9 Sep 2021 13:51:05 +0200
Subject: [PATCH] Check a user owns the email they are trying to unsubscribe
 (CVE-2021-40347)
Origin: upstream, https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
Author: Kunal Mehta <legoktm@debian.org>

The list unsubscribe/ endpoint now performs validation that the user
making the request owns the email address they have requested be
unsubscribed. Without this check, any logged-in user could unsubscribe
any other email address from any list, also leaking whether that address
was subscribed in the first place.
---
 src/postorius/views/list.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/postorius/views/list.py b/src/postorius/views/list.py
index 37d7ff6..cd4967b 100644
--- a/src/postorius/views/list.py
+++ b/src/postorius/views/list.py
@@ -502,6 +502,15 @@ class ListUnsubscribeView(MailingListView):
     @method_decorator(login_required)
     def post(self, request, *args, **kwargs):
         email = request.POST['email']
+        # Verify the user actually controls this email, should
+        # return 1 if the user owns the email, 0 otherwise.
+        found_email = EmailAddress.objects.filter(
+            user=request.user, email=email, verified=True).count()
+        if found_email == 0:
+            messages.error(
+                request,
+                _('You can only unsubscribe yourself.'))
+            return redirect('list_summary', self.mailing_list.list_id)
         try:
             self.mailing_list.unsubscribe(email)
             messages.success(request, _('%s has been unsubscribed'