------------------------------------------------------------ revno: 1499 fixes bug: https://launchpad.net/bugs/1372199 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Sun 2014-09-21 19:06:41 -0700 message: The options CGI now rejects all but HTTP GET and POST requests. modified: Mailman/Cgi/options.py Mailman/Utils.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py' --- Mailman/Cgi/options.py 2014-03-22 03:47:45 +0000 +++ Mailman/Cgi/options.py 2014-09-22 02:06:41 +0000 @@ -52,6 +52,18 @@ doc = Document() doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE) + method = Utils.GetRequestMethod() + if method.lower() not in ('get', 'post'): + title = _('CGI script error') + doc.SetTitle(title) + doc.AddItem(Header(2, title)) + doc.addError(_('Invalid request method: %(method)s')) + doc.AddItem('<hr>') + doc.AddItem(MailmanLogo()) + print 'Status: 405 Method Not Allowed' + print doc.Format() + return + parts = Utils.GetPathPieces() lenparts = parts and len(parts) if not parts or lenparts < 1: === modified file 'Mailman/Utils.py' --- Mailman/Utils.py 2014-05-29 15:38:47 +0000 +++ Mailman/Utils.py 2014-09-22 02:06:41 +0000 @@ -261,6 +261,11 @@ +def GetRequestMethod(): + return os.environ.get('REQUEST_METHOD') + + + def ScriptURL(target, web_page_url=None, absolute=False): """target - scriptname only, nothing extra web_page_url - the list's configvar of the same name === modified file 'NEWS' --- NEWS 2014-09-19 16:21:24 +0000 +++ NEWS 2014-09-22 02:06:41 +0000 @@ -23,6 +23,9 @@ Bug fixes and other patches + - The options CGI now rejects all but HTTP GET and POST requests. + (LP: #1372199) + - A list's poster password will now be accepted on an Urgent: header. (LP: #1371678)
_______________________________________________ Mailman-checkins mailing list Mailman-checkins@python.org Unsubscribe: https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org