------------------------------------------------------------
revno: 1499
fixes bug: https://launchpad.net/bugs/1372199
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Sun 2014-09-21 19:06:41 -0700
message:
  The options CGI now rejects all but HTTP GET and POST requests.
modified:
  Mailman/Cgi/options.py
  Mailman/Utils.py
  NEWS


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2014-03-22 03:47:45 +0000
+++ Mailman/Cgi/options.py	2014-09-22 02:06:41 +0000
@@ -52,6 +52,18 @@
     doc = Document()
     doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
 
+    method = Utils.GetRequestMethod()
+    if method.lower() not in ('get', 'post'):
+        title = _('CGI script error')
+        doc.SetTitle(title)
+        doc.AddItem(Header(2, title))
+        doc.addError(_('Invalid request method: %(method)s'))
+        doc.AddItem('<hr>')
+        doc.AddItem(MailmanLogo())
+        print 'Status: 405 Method Not Allowed'
+        print doc.Format()
+        return
+
     parts = Utils.GetPathPieces()
     lenparts = parts and len(parts)
     if not parts or lenparts < 1:

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2014-05-29 15:38:47 +0000
+++ Mailman/Utils.py	2014-09-22 02:06:41 +0000
@@ -261,6 +261,11 @@
 
 
 
+def GetRequestMethod():
+    return os.environ.get('REQUEST_METHOD')
+
+
+
 def ScriptURL(target, web_page_url=None, absolute=False):
     """target - scriptname only, nothing extra
     web_page_url - the list's configvar of the same name

=== modified file 'NEWS'
--- NEWS	2014-09-19 16:21:24 +0000
+++ NEWS	2014-09-22 02:06:41 +0000
@@ -23,6 +23,9 @@
 
   Bug fixes and other patches
 
+    - The options CGI now rejects all but HTTP GET and POST requests.
+      (LP: #1372199)
+
     - A list's poster password will now be accepted on an Urgent: header.
       (LP: #1371678)
 

_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to