On Wed, 15 Nov 2006 00:50:46 -0600, David Eisenstein <[EMAIL PROTECTED]> wrote:
>
> We still need work on the FC3 version of this package:
> mailman-2.1.5-32.fc3.src.rpm
> in Bugzilla #211676.
This should be easier, as the patches I used from RHEL (attached in this mail)
were for mailmail 2.1.5. Maybe they can be applied directly.
--
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
--- mailman/Mailman/Handlers/Scrubber.py.orig 2006-06-13 22:05:53.000000000 +0300
+++ mailman/Mailman/Handlers/Scrubber.py 2006-06-13 22:04:24.000000000 +0300
@@ -266,7 +266,11 @@
finally:
os.umask(omask)
desc = part.get('content-description', _('not available'))
- filename = part.get_filename(_('not available'))
+ try:
+ filename = part.get_filename(_('not available'))
+ except ValueError:
+ # Hack to deal with filename containing ' character.
+ filename = _('not available')
del part['content-type']
del part['content-transfer-encoding']
part.set_payload(_("""\
@@ -358,8 +362,16 @@
# e.g. image/jpg (should be image/jpeg). For now we just store such
# things as application/octet-streams since that seems the safest.
ctype = msg.get_content_type()
- fnext = os.path.splitext(msg.get_filename(''))[1]
- ext = guess_extension(ctype, fnext)
+ try:
+ fnext = os.path.splitext(msg.get_filename(''))[1]
+ except ValueError:
+ # Catch the case when msg.get_filename('') fails with a
+ # ValueError: need more than 2 values to unpack
+ # File "/usr/lib/python2.4/email/Utils.py", line 222, in decode_rfc2231
+ # charset, language, s = parts
+ ext = ''
+ else:
+ ext = guess_extension(ctype, fnext)
if not ext:
# We don't know what it is, so assume it's just a shapeless
# application/octet-stream, unless the Content-Type: is
@@ -377,7 +389,11 @@
try:
# Now base the filename on what's in the attachment, uniquifying it if
# necessary.
- filename = msg.get_filename()
+ try:
+ filename = msg.get_filename()
+ except ValueError:
+ # Another case of catching filenames that contain a ' character.
+ filename = ''
if not filename:
filebase = 'attachment'
else:
--- mailman-2.1.5.1/Mailman/Cgi/admindb.py.CVE-2006-3636 2004-04-30 18:50:42.000000000 +0200
+++ mailman-2.1.5.1/Mailman/Cgi/admindb.py 2006-08-23 12:24:06.000000000 +0200
@@ -310,7 +310,7 @@
' ' + _('Permanently ban from this list')
# While the address may be a unicode, it must be ascii
paddr = addr.encode('us-ascii', 'replace')
- table.AddRow(['%s<br><em>%s</em>' % (paddr, fullname),
+ table.AddRow(['%s<br><em>%s</em>' % (paddr, Utils.websafe(fullname)),
radio,
TextBox('comment-%d' % id, size=40)
])
@@ -354,7 +354,7 @@
mlist.HandleRequest(id, mm_cfg.DISCARD)
continue
num += 1
- table.AddRow(['%s<br><em>%s</em>' % (addr, fullname),
+ table.AddRow(['%s<br><em>%s</em>' % (addr, Utils.websafe(fullname)),
RadioButtonArray(id, (_('Defer'),
_('Approve'),
_('Reject'),
--- mailman-2.1.5.1/Mailman/Cgi/create.py.CVE-2006-3636 2004-02-29 18:07:51.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/create.py 2006-08-23 12:24:06.000000000 +0200
@@ -187,15 +187,24 @@
mlist.Create(listname, owner, pw, langs, emailhost)
finally:
os.umask(oldmask)
- except Errors.EmailAddressError, s:
+ except Errors.EmailAddressError, e:
+ if e.args:
+ s = Utils.websafe(e.args[0])
+ else:
+ s = Utils.websafe(owner)
request_creation(doc, cgidata,
_('Bad owner email address: %(s)s'))
return
except Errors.MMListAlreadyExistsError:
+ # MAS: List already exists so we don't need to websafe it.
request_creation(doc, cgidata,
_('List already exists: %(listname)s'))
return
- except Errors.BadListNameError, s:
+ except Errors.BadListNameError, e:
+ if e.args:
+ s = Utils.websafe(e.args[0])
+ else:
+ s = Utils.websafe(listname)
request_creation(doc, cgidata,
_('Illegal list name: %(s)s'))
return
@@ -318,15 +327,17 @@
ftable.AddRow([Center(Italic(_('List Identity')))])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2)
- safelistname = Utils.websafe(cgidata.getvalue('listname', ''))
+ listname = cgidata.getvalue('listname', '')
+ # MAS: Don't websafe twice. TextBox does it.
ftable.AddRow([Label(_('Name of list:')),
- TextBox('listname', safelistname)])
+ TextBox('listname', listname)])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
- safeowner = Utils.websafe(cgidata.getvalue('owner', ''))
+ owner = cgidata.getvalue('owner', '')
+ # MAS: Don't websafe twice. TextBox does it.
ftable.AddRow([Label(_('Initial list owner address:')),
- TextBox('owner', safeowner)])
+ TextBox('owner', owner)])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
--- mailman-2.1.5.1/Mailman/Cgi/options.py.CVE-2006-3636 2004-02-29 17:45:27.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/options.py 2006-08-23 12:24:06.000000000 +0200
@@ -652,7 +652,7 @@
fullname = Utils.uncanonstr(mlist.getMemberName(user), userlang)
if fullname:
- presentable_user += ', %s' % fullname
+ presentable_user += ', %s' % Utils.websafe(fullname)
# Do replacements
replacements = mlist.GetStandardReplacements(userlang)
--- mailman-2.1.5.1/Mailman/Cgi/edithtml.py.CVE-2006-3636 2002-05-22 05:00:18.000000000 +0200
+++ mailman-2.1.5.1/Mailman/Cgi/edithtml.py 2006-08-23 12:24:06.000000000 +0200
@@ -140,7 +140,8 @@
doc.AddItem('<p>')
doc.AddItem('<hr>')
form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name)
- text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist))
+ text = Utils.maketext(template_name, raw=1, mlist=mlist)
+ # MAS: Don't websafe twice. TextArea does it.
form.AddItem(TextArea('html_code', text, rows=40, cols=75))
form.AddItem('<p>' + _('When you are done making changes...'))
form.AddItem(SubmitButton('submit', _('Submit Changes')))
--- mailman-2.1.5.1/Mailman/Cgi/admin.py.CVE-2006-3636 2003-12-24 18:27:45.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/admin.py 2006-08-23 12:25:48.000000000 +0200
@@ -1319,6 +1319,7 @@
# we display. Try uploading a file with 10k names -- it takes a while
# to render the status page.
for entry in entries:
+ safeentry = Utils.websafe(entry)
fullname, address = parseaddr(entry)
# Canonicalize the full name
fullname = Utils.canonstr(fullname, mlist.preferred_language)
@@ -1336,17 +1337,17 @@
send_admin_notif, invitation,
whence='admin mass sub')
except Errors.MMAlreadyAMember:
- subscribe_errors.append((entry, _('Already a member')))
+ subscribe_errors.append((safeentry, _('Already a member')))
except Errors.MMBadEmailError:
if userdesc.address == '':
subscribe_errors.append((_('<blank line>'),
_('Bad/Invalid email address')))
else:
- subscribe_errors.append((entry,
+ subscribe_errors.append((safeentry,
_('Bad/Invalid email address')))
except Errors.MMHostileAddress:
subscribe_errors.append(
- (entry, _('Hostile address (illegal characters)')))
+ (safeentry, _('Hostile address (illegal characters)')))
else:
member = Utils.uncanonstr(formataddr((fullname, address)))
subscribe_success.append(Utils.websafe(member))
@@ -1386,9 +1387,9 @@
addr, whence='admin mass unsub',
admin_notif=send_unsub_notifications,
userack=userack)
- unsubscribe_success.append(addr)
+ unsubscribe_success.append(Utils.websafe(addr))
except Errors.NotAMemberError:
- unsubscribe_errors.append(addr)
+ unsubscribe_errors.append(Utils.websafe(addr))
if unsubscribe_success:
doc.AddItem(Header(5, _('Successfully Unsubscribed:')))
doc.AddItem(UnorderedList(*unsubscribe_success))
--- mailman-2.1.5.1/Mailman/Utils.py.CVE-2006-3636 2003-12-26 23:50:04.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Utils.py 2006-08-23 12:24:06.000000000 +0200
@@ -201,7 +201,7 @@
_badchars = re.compile(r'[][()<>|;^,/\200-\377]')
def ValidateEmail(s):
- """Verify that the an email address isn't grossly evil."""
+ """Verify that an email address isn't grossly evil."""
# Pretty minimal, cheesy check. We could do better...
if not s or s.count(' ') > 0:
raise Errors.MMBadEmailError
--- mailman-2.1.5.1/Mailman/htmlformat.py.CVE-2006-3636 2003-09-22 04:58:13.000000000 +0200
+++ mailman-2.1.5.1/Mailman/htmlformat.py 2006-08-23 12:24:06.000000000 +0200
@@ -448,7 +448,11 @@
class TextBox(InputObj):
def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH):
- InputObj.__init__(self, name, "TEXT", value, checked=0, size=size)
+ if isinstance(value, str):
+ safevalue = Utils.websafe(value)
+ else:
+ safevalue = value
+ InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size)
class Hidden(InputObj):
def __init__(self, name, value=''):
@@ -457,8 +461,12 @@
class TextArea:
def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
readonly=0):
+ if isinstance(text, str):
+ safetext = Utils.websafe(text)
+ else:
+ safetext = text
self.name = name
- self.text = text
+ self.text = safetext
self.rows = rows
self.cols = cols
self.wrap = wrap
--- mailman-2.1.5.1/Mailman/Gui/General.py.CVE-2006-3636 2004-02-17 20:27:46.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Gui/General.py 2006-08-23 12:24:06.000000000 +0200
@@ -433,13 +433,13 @@
GUIBase._setValue(self, mlist, property, val, doc)
def _escape(self, property, value):
- # The 'info' property allows HTML, but lets sanitize it to avoid XSS
+ # The 'info' property allows HTML, but let's sanitize it to avoid XSS
# exploits. Everything else should be fully escaped.
if property <> 'info':
return GUIBase._escape(self, property, value)
# Sanitize <script> and </script> tags but nothing else. Not the best
# solution, but expedient.
- return re.sub(r'<([/]?script.*?)>', r'<\1>', value)
+ return re.sub(r'(?i)<([/]?script.*?)>', r'<\1>', value)
def _postValidate(self, mlist, doc):
if not mlist.reply_to_address.strip() and \
--- mailman-2.1.5.1/Mailman/HTMLFormatter.py.CVE-2006-3636 2003-09-29 17:01:22.000000000 +0200
+++ mailman-2.1.5.1/Mailman/HTMLFormatter.py 2006-08-23 12:24:06.000000000 +0200
@@ -332,8 +332,12 @@
return '</FORM>'
def FormatBox(self, name, size=20, value=''):
+ if isinstance(value, str):
+ safevalue = Utils.websafe(value)
+ else:
+ safevalue = value
return '<INPUT type="Text" name="%s" size="%d" value="%s">' % (
- name, size, value)
+ name, size, safevalue)
def FormatSecureBox(self, name):
return '<INPUT type="Password" name="%s" size="15">' % name
--
fedora-legacy-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-legacy-list
