python-HyperKitty/python-HyperKitty-CVE-2021-33038.patch

Security
--------

- Importing a private mailing list with ``hyperkitty_import`` will enforce
  the visibility of the archives for the duration of the import. This fixes
  a bug where the private archives would have public visibility during imports
  which could lead to temporary information leakage.
  (CVE-2021-33038, Closes #380)

diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py
index a853bf193430094add74219af5210a5bc0eae938..268d6c61e75a9cdb55f5590e8915500b870be2ca 100644
--- a/hyperkitty/management/commands/hyperkitty_import.py
+++ b/hyperkitty/management/commands/hyperkitty_import.py
@@ -49,7 +49,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list
 from hyperkitty.lib.mailman import sync_with_mailman
 from hyperkitty.lib.utils import get_message_id
 from hyperkitty.management.utils import setup_logging
-from hyperkitty.models import Email, Thread
+from hyperkitty.models import Email, MailingList, Thread
 
 
 # Allow all wierd line endings.
@@ -338,6 +338,11 @@ class Command(BaseCommand):
         # if (settings.DATABASES["default"]["ENGINE"]
         #     != "django.db.backends.sqlite3":
         #     transaction.set_autocommit(False)
+        # Sync list settings with Mailman before importing messages:
+        if not options["no_sync_mailman"]:
+            mlist = MailingList.objects.get_or_create(name=list_address)[0]
+            mlist.update_from_mailman()
+            mlist.save()
         settings.HYPERKITTY_BATCH_MODE = True
         # Only import emails newer than the latest email in the DB
         latest_email_date = Email.objects.filter(