------------------------------------------------------------
revno: 1577
fixes bug: https://launchpad.net/bugs/1496632
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Wed 2015-09-16 17:39:34 -0700
message:
Defended against a user submitting URLs with query fragments or POST
data containing multiple occurrences of the same variable.
modified:
Mailman/Cgi/options.py
Mailman/Utils.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py 2015-07-21 03:28:37 +0000
+++ Mailman/Cgi/options.py 2015-09-17 00:39:34 +0000
@@ -129,6 +129,14 @@
return
else:
user = Utils.LCDomain(Utils.UnobscureEmail(SLASH.join(parts[1:])))
+ # If a user submits a form or URL with post data or query fragments
+ # with multiple occurrences of the same variable, we can get a list
+ # here. Be as careful as possible.
+ if isinstance(user, list) or isinstance(user, tuple):
+ if len(user) == 0:
+ user = ''
+ else:
+ user = user[-1]
# Avoid cross-site scripting attacks
safeuser = Utils.websafe(user)
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2015-06-23 19:53:50 +0000
+++ Mailman/Utils.py 2015-09-17 00:39:34 +0000
@@ -234,6 +234,14 @@
def ValidateEmail(s):
"""Verify that an email address isn't grossly evil."""
+ # If a user submits a form or URL with post data or query fragments
+ # with multiple occurrences of the same variable, we can get a list
+ # here. Be as careful as possible.
+ if isinstance(s, list) or isinstance(s, tuple):
+ if len(s) == 0:
+ s = ''
+ else:
+ s = s[-1]
# Pretty minimal, cheesy check. We could do better...
if not s or s.count(' ') > 0:
raise Errors.MMBadEmailError
@@ -454,6 +462,14 @@
�
_ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
def websafe(s):
+ # If a user submits a form or URL with post data or query fragments
+ # with multiple occurrences of the same variable, we can get a list
+ # here. Be as careful as possible.
+ if isinstance(s, list) or isinstance(s, tuple):
+ if len(s) == 0:
+ s = ''
+ else:
+ s = s[-1]
if mm_cfg.BROKEN_BROWSER_WORKAROUND:
# Archiver can pass unicode here. Just skip them as the
# archiver escapes non-ascii anyway.
=== modified file 'NEWS'
--- NEWS 2015-09-02 00:10:17 +0000
+++ NEWS 2015-09-17 00:39:34 +0000
@@ -20,6 +20,10 @@
Bug fixes and other patches
+ - Defended against a user submitting URLs with query fragments or POST
+ data containing multiple occurrences of the same variable.
+ (LP: #1496632)
+
- Fixed bin/mailmanctl to check its effective rather than real uid.
(LP: #1491187)
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
