Prevent replay attacks with the confirmation token.

2 files changed, 2 insertions, 5 deletions

diff --git a/src/mailman/commands/eml_confirm.py b/src/mailman/commands/eml_confirm.py
index 2ee48e938..077fab9a6 100644
--- a/src/mailman/commands/eml_confirm.py
+++ b/src/mailman/commands/eml_confirm.py
@@ -53,7 +53,7 @@ class Confirm:
         tokens.add(token)
         results.confirms = tokens
         try:
-            succeeded = IRegistrar(mlist).confirm(token)
+            succeeded = (IRegistrar(mlist).confirm(token) is None)
         except LookupError:
             # The token must not exist in the database.
             succeeded = False
diff --git a/src/mailman/commands/tests/test_confirm.py b/src/mailman/commands/tests/test_confirm.py
index 2f6a8088f..98a26bf7d 100644
--- a/src/mailman/commands/tests/test_confirm.py
+++ b/src/mailman/commands/tests/test_confirm.py
@@ -31,7 +31,7 @@ from mailman.interfaces.command import ContinueProcessing
 from mailman.interfaces.registrar import IRegistrar
 from mailman.interfaces.usermanager import IUserManager
 from mailman.runners.command import Results
-from mailman.testing.helpers import get_queue_messages, reset_the_world
+from mailman.testing.helpers import get_queue_messages
 from mailman.testing.layers import ConfigLayer
 from zope.component import getUtility
 
@@ -51,9 +51,6 @@ class TestConfirm(unittest.TestCase):
         # Clear the virgin queue.
         get_queue_messages('virgin')
 
-    def tearDown(self):
-        reset_the_world()
-
     def test_welcome_message(self):
         # A confirmation causes a welcome message to be sent to the member, if
         # enabled by the mailing list.