[Mailman-checkins] [Branch ~mailman-coders/mailman/2.2] Rev 1356: The options CGI now rejects all but HTTP GET and POST requests.

Sun, 21 Sep 2014 19:14:45 -0700 

------------------------------------------------------------
revno: 1356
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.2
timestamp: Sun 2014-09-21 19:12:49 -0700
message:
  The options CGI now rejects all but HTTP GET and POST requests.
modified:
  Mailman/Cgi/options.py
  Mailman/Utils.py
  NEWS


--
lp:mailman/2.2
https://code.launchpad.net/~mailman-coders/mailman/2.2

Your team Mailman Checkins is subscribed to branch lp:mailman/2.2.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.2/+edit-subscription

=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2014-03-22 03:46:01 +0000
+++ Mailman/Cgi/options.py	2014-09-22 02:12:49 +0000
@@ -53,6 +53,18 @@
     doc = Document()
     doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
 
+    method = Utils.GetRequestMethod()
+    if method.lower() not in ('get', 'post'):
+        title = _('CGI script error')
+        doc.SetTitle(title)
+        doc.AddItem(Header(2, title))
+        doc.addError(_('Invalid request method: %(method)s'))
+        doc.AddItem('<hr>')
+        doc.AddItem(MailmanLogo())
+        print 'Status: 405 Method Not Allowed'
+        print doc.Format()
+        return
+
     parts = Utils.GetPathPieces()
     lenparts = parts and len(parts)
     if not parts or lenparts < 1:

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2014-05-29 15:41:20 +0000
+++ Mailman/Utils.py	2014-09-22 02:12:49 +0000
@@ -262,6 +262,11 @@
 
 
 
+def GetRequestMethod():
+    return os.environ.get('REQUEST_METHOD')
+
+
+
 def ScriptURL(target, web_page_url=None, absolute=False):
     """target - scriptname only, nothing extra
     web_page_url - the list's configvar of the same name

=== modified file 'NEWS'
--- NEWS	2014-09-19 16:24:03 +0000
+++ NEWS	2014-09-22 02:12:49 +0000
@@ -67,6 +67,9 @@
 
   Bug fixes and other patches
 
+    - The options CGI now rejects all but HTTP GET and POST requests.
+      (LP: #1372199)
+
     - A list's poster password will now be accepted on an Urgent: header.
       (LP: #1371678)
 


_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to