------------------------------------------------------------
revno: 1577
fixes bug: https://launchpad.net/bugs/1496632
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Wed 2015-09-16 17:20:05 -0700
message:
Defended against a user submitting URLs with query fragments or POST
data containing multiple occurrences of the same variable.
modified:
Mailman/Utils.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2015-06-23 19:53:50 +0000
+++ Mailman/Utils.py 2015-09-17 00:20:05 +0000
@@ -454,6 +454,14 @@
�
_ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
def websafe(s):
+ # If a user submits a form or URL with post data or query fragments
+ # with multiple occurrences of the same variable, we can get a list
+ # here. Be as careful as possible.
+ if isinstance(s, list) or isinstance(s, tuple):
+ if len(s) == 0:
+ s = ''
+ else:
+ s = s[-1]
if mm_cfg.BROKEN_BROWSER_WORKAROUND:
# Archiver can pass unicode here. Just skip them as the
# archiver escapes non-ascii anyway.
=== modified file 'NEWS'
--- NEWS 2015-09-02 00:10:17 +0000
+++ NEWS 2015-09-17 00:20:05 +0000
@@ -20,6 +20,10 @@
Bug fixes and other patches
+ - Defended against a user submitting URLs with query fragments or POST
+ data containing multiple occurrences of the same variable.
+ (LP: #1496632)
+
- Fixed bin/mailmanctl to check its effective rather than real uid.
(LP: #1491187)
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
