[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1747: Added a few more badword checks to Utils.suspiciousHTML().

Thu, 08 Mar 2018 17:35:19 -0800 

------------------------------------------------------------
revno: 1747
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Thu 2018-03-08 17:33:07 -0800
message:
  Added a few more badword checks to Utils.suspiciousHTML().
  Added validation of GUI updates to host_name.
modified:
  Mailman/Gui/General.py
  Mailman/Utils.py
  NEWS


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Gui/General.py'
--- Mailman/Gui/General.py	2015-11-28 16:39:30 +0000
+++ Mailman/Gui/General.py	2018-03-09 01:33:07 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2014 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2018 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -559,6 +559,14 @@
                                           or not isinstance(val, IntType)):
             doc.addError(_("""<b>admin_member_chunksize</b> attribute not
             changed!  It must be an integer > 0."""))
+        elif property == 'host_name':
+            try:
+                Utils.ValidateEmail('user@' + val)
+            except Errors.EmailAddressError:
+                doc.addError(_("""<b>host_name</b> attribute not changed!
+                It must be a valid domain name."""))
+            else:
+                GUIBase._setValue(self, mlist, property, val, doc)
         else:
             GUIBase._setValue(self, mlist, property, val, doc)
 

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2017-10-27 05:56:53 +0000
+++ Mailman/Utils.py	2018-03-09 01:33:07 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2017 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -1019,6 +1019,7 @@
     '<meta',
     '<object',
     '<script',
+    '@keyframes',
     r'\bj(?:ava)?script\b',
     r'\bvbs(?:cript)?\b',
     r'\bdomactivate\b',
@@ -1035,12 +1036,14 @@
     r'\bon(?:de)?activate\b',
     r'\bon(?:after|before)print\b',
     r'\bon(?:after|before)update\b',
+    r'\b(?:on)?animation(?:end|iteration|start)\b',
     r'\bonbefore(?:(?:de)?activate|copy|cut|editfocus|paste)\b',
     r'\bonbeforeunload\b',
     r'\bonbegin\b',
     r'\bonblur\b',
     r'\bonbounce\b',
     r'\bonbroadcast\b',
+    r'\boncanplay(?:through)?\b',
     r'\bon(?:cell)?change\b',
     r'\boncheckboxstatechange\b',
     r'\bon(?:dbl)?click\b',
@@ -1056,7 +1059,9 @@
     r'\bondrag(?:drop|end|enter|exit|gesture|leave|over)?\b',
     r'\bondragstart\b',
     r'\bondrop\b',
-    r'\bonend\b',
+    r'\bondurationchange\b',
+    r'\bonemptied\b',
+    r'\bonend(?:ed)?\b',
     r'\bonerror(?:update)?\b',
     r'\bonfilterchange\b',
     r'\bonfinish\b',
@@ -1066,21 +1071,28 @@
     r'\bonkey(?:up|down|press)\b',
     r'\bonlayoutcomplete\b',
     r'\bon(?:un)?load\b',
+    r'\bonloaded(?:meta)?data\b',
+    r'\bonloadstart\b',
     r'\bonlosecapture\b',
     r'\bonmedia(?:complete|error)\b',
+    r'\bonmessage\b',
     r'\bonmouse(?:down|enter|leave|move|out|over|up|wheel)\b',
     r'\bonmove(?:end|start)?\b',
     r'\bon(?:off|on)line\b',
+    r'\bonopen\b',
     r'\bonoutofsync\b',
     r'\bonoverflow(?:changed)?\b',
     r'\bonpage(?:hide|show)\b',
     r'\bonpaint\b',
     r'\bonpaste\b',
     r'\bonpause\b',
+    r'\bonplay(?:ing)?\b',
+    r'\bonpopstate\b',
     r'\bonpopup(?:hidden|hiding|showing|shown)\b',
     r'\bonprogress\b',
     r'\bonpropertychange\b',
     r'\bonradiostatechange\b',
+    r'\bonratechange\b',
     r'\bonreadystatechange\b',
     r'\bonrepeat\b',
     r'\bonreset\b',
@@ -1090,19 +1102,30 @@
     r'\bonrow(?:delete|enter|exit|inserted)\b',
     r'\bonrows(?:delete|enter|inserted)\b',
     r'\bonscroll\b',
-    r'\bonseek\b',
+    r'\bonsearch\b',
+    r'\bonseek(?:ed|ing)?\b',
     r'\bonselect(?:start)?\b',
     r'\bonselectionchange\b',
+    r'\bonshow\b',
     r'\bonstart\b',
+    r'\bonstalled\b',
     r'\bonstop\b',
+    r'\bonstorage\b',
     r'\bonsubmit\b',
+    r'\bonsuspend\b',
     r'\bonsync(?:from|to)preference\b',
     r'\bonsyncrestored\b',
     r'\bontext\b',
-    r'\bontimeerror\b',
+    r'\bontime(?:error|update)\b',
+    r'\bontoggle\b',
+    r'\bontouch(?:cancel|end|move|start)\b',
     r'\bontrackchange\b',
+    r'\b(?:on)?transitionend\b',
     r'\bonunderflow\b',
     r'\bonurlflip\b',
+    r'\bonvolumechange\b',
+    r'\bonwaiting\b',
+    r'\bonwheel\b',
     r'\bseeksegmenttime\b',
     r'\bsvgabort\b',
     r'\bsvgerror\b',

=== modified file 'NEWS'
--- NEWS	2018-03-09 00:00:54 +0000
+++ NEWS	2018-03-09 01:33:07 +0000
@@ -7,6 +7,11 @@
 
 2.1.27 (xx-xxx-xxxx)
 
+  Security
+
+    - Existing protections against malicious listowners injecting evil
+      scripts into listinfo pages have had a few more checks added.
+
   Bug fixes and other patches
 
     - Bad values in a list's topics will no longer break everything that


_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to