File python-HyperKitty-CVE-2021-33038.patch of Package python-HyperKitty.16430

Security
--------

- Importing a private mailing list with ``hyperkitty_import`` will enforce
  the visibility of the archives for the duration of the import. This fixes
  a bug where the private archives would have public visibility during imports
  which could lead to temporary information leakage.
  (CVE-2021-33038, Closes #380)

Index: HyperKitty-1.3.2/hyperkitty/management/commands/hyperkitty_import.py
===================================================================
--- HyperKitty-1.3.2.orig/hyperkitty/management/commands/hyperkitty_import.py	2019-08-17 03:20:19.000000000 +0200
+++ HyperKitty-1.3.2/hyperkitty/management/commands/hyperkitty_import.py	2021-06-02 14:32:18.256892623 +0200
@@ -48,7 +48,7 @@ from hyperkitty.lib.incoming import Dupl
 from hyperkitty.lib.mailman import sync_with_mailman
 from hyperkitty.lib.utils import get_message_id
 from hyperkitty.management.utils import setup_logging
-from hyperkitty.models import Email, Thread
+from hyperkitty.models import Email, MailingList, Thread
 
 
 TEXTWRAP_RE = re.compile(r"\n\s*")
@@ -294,6 +294,11 @@ class Command(BaseCommand):
         # if (settings.DATABASES["default"]["ENGINE"]
         #     != "django.db.backends.sqlite3":
         #     transaction.set_autocommit(False)
+        # Sync list settings with Mailman before importing messages:
+        if not options["no_sync_mailman"]:
+            mlist = MailingList.objects.get_or_create(name=list_address)[0]
+            mlist.update_from_mailman()
+            mlist.save()
         settings.HYPERKITTY_BATCH_MODE = True
         # Only import emails newer than the latest email in the DB
         latest_email_date = Email.objects.filter(