------------------------------------------------------------
revno: 1663
fixes bug: https://launchpad.net/bugs/1602608
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Thu 2016-07-14 14:27:49 -0700
message:
Catch TypeError from certain defective crafted POST requests.
modified:
Mailman/Cgi/admin.py
Mailman/Cgi/admindb.py
Mailman/Cgi/confirm.py
Mailman/Cgi/create.py
Mailman/Cgi/edithtml.py
Mailman/Cgi/listinfo.py
Mailman/Cgi/options.py
Mailman/Cgi/private.py
Mailman/Cgi/rmlist.py
Mailman/Cgi/roster.py
Mailman/Cgi/subscribe.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/admin.py'
--- Mailman/Cgi/admin.py 2016-05-17 19:33:14 +0000
+++ Mailman/Cgi/admin.py 2016-07-14 21:27:49 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -86,6 +86,18 @@
i18n.set_language(mlist.preferred_language)
# If the user is not authenticated, we're done.
cgidata = cgi.FieldStorage(keep_blank_values=1)
+ try:
+ cgidata.getvalue('csrf_token', '')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc = Document()
+ doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
# CSRF check
safe_params = ['VARHELP', 'adminpw', 'admlogin',
=== modified file 'Mailman/Cgi/admindb.py'
--- Mailman/Cgi/admindb.py 2016-05-23 05:32:43 +0000
+++ Mailman/Cgi/admindb.py 2016-07-14 21:27:49 +0000
@@ -122,6 +122,18 @@
# Make sure the user is authorized to see this page.
cgidata = cgi.FieldStorage(keep_blank_values=1)
+ try:
+ cgidata.getvalue('adminpw', '')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc = Document()
+ doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
if not mlist.WebAuthenticate((mm_cfg.AuthListAdmin,
mm_cfg.AuthListModerator,
=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py 2015-01-23 00:09:03 +0000
+++ Mailman/Cgi/confirm.py 2016-07-14 21:27:49 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2015 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2016 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -73,7 +73,17 @@
# Get the form data to see if this is a second-step confirmation
cgidata = cgi.FieldStorage(keep_blank_values=1)
- cookie = cgidata.getvalue('cookie')
+ try:
+ cookie = cgidata.getvalue('cookie')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
+
if cookie == '':
ask_for_cookie(mlist, doc, _('Confirmation string was empty.'))
return
=== modified file 'Mailman/Cgi/create.py'
--- Mailman/Cgi/create.py 2010-02-27 17:57:24 +0000
+++ Mailman/Cgi/create.py 2016-07-14 21:27:49 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2010 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2016 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -43,6 +43,17 @@
doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
cgidata = cgi.FieldStorage()
+ try:
+ cgidata.getvalue('doit', '')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
+
parts = Utils.GetPathPieces()
if parts:
# Bad URL specification
=== modified file 'Mailman/Cgi/edithtml.py'
--- Mailman/Cgi/edithtml.py 2016-05-19 00:40:27 +0000
+++ Mailman/Cgi/edithtml.py 2016-07-14 21:27:49 +0000
@@ -93,6 +93,16 @@
# Must be authenticated to get any farther
cgidata = cgi.FieldStorage()
+ try:
+ cgidata.getvalue('adminpw', '')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
# Editing the html for a list is limited to the list admin and site admin.
if not mlist.WebAuthenticate((mm_cfg.AuthListAdmin,
=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py 2016-05-17 19:33:14 +0000
+++ Mailman/Cgi/listinfo.py 2016-07-14 21:27:49 +0000
@@ -58,7 +58,19 @@
# See if the user want to see this page in other language
cgidata = cgi.FieldStorage()
- language = cgidata.getvalue('language')
+ try:
+ language = cgidata.getvalue('language')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc = Document()
+ doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
+
if not Utils.IsLanguage(language):
language = mlist.preferred_language
i18n.set_language(language)
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py 2015-12-06 20:00:29 +0000
+++ Mailman/Cgi/options.py 2016-07-14 21:27:49 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -108,7 +108,17 @@
# we might have a 'language' key in the cgi data. That was an explicit
# preference to view the page in, so we should honor that here. If that's
# not available, use the list's default language.
- language = cgidata.getvalue('language')
+ try:
+ language = cgidata.getvalue('language')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
+
if not Utils.IsLanguage(language):
language = mlist.preferred_language
i18n.set_language(language)
=== modified file 'Mailman/Cgi/private.py'
--- Mailman/Cgi/private.py 2014-03-22 03:47:45 +0000
+++ Mailman/Cgi/private.py 2016-07-14 21:27:49 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2014 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -118,7 +118,16 @@
doc.set_language(mlist.preferred_language)
cgidata = cgi.FieldStorage()
- username = cgidata.getvalue('username', '')
+ try:
+ username = cgidata.getvalue('username', '')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
password = cgidata.getvalue('password', '')
is_auth = 0
=== modified file 'Mailman/Cgi/rmlist.py'
--- Mailman/Cgi/rmlist.py 2014-05-03 04:42:31 +0000
+++ Mailman/Cgi/rmlist.py 2016-07-14 21:27:49 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2014 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2016 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -41,6 +41,17 @@
doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
cgidata = cgi.FieldStorage()
+ try:
+ cgidata.getvalue('password', '')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
+
parts = Utils.GetPathPieces()
if not parts:
=== modified file 'Mailman/Cgi/roster.py'
--- Mailman/Cgi/roster.py 2014-03-22 03:47:45 +0000
+++ Mailman/Cgi/roster.py 2016-07-14 21:27:49 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2014 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -63,7 +63,19 @@
cgidata = cgi.FieldStorage()
# messages in form should go in selected language (if any...)
- lang = cgidata.getvalue('language')
+ try:
+ lang = cgidata.getvalue('language')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc = Document()
+ doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
+
if not Utils.IsLanguage(lang):
lang = mlist.preferred_language
i18n.set_language(lang)
=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py 2015-06-23 13:40:09 +0000
+++ Mailman/Cgi/subscribe.py 2016-07-14 21:27:49 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -70,7 +70,16 @@
# See if the form data has a preferred language set, in which case, use it
# for the results. If not, use the list's preferred language.
cgidata = cgi.FieldStorage()
- language = cgidata.getvalue('language')
+ try:
+ language = cgidata.getvalue('language', '')
+ except TypeError:
+ # Someone crafted a POST with a bad Content-Type:.
+ doc.AddItem(Header(2, _("Error")))
+ doc.AddItem(Bold(_('Invalid options to CGI script.')))
+ # Send this with a 400 status.
+ print 'Status: 400 Bad Request'
+ print doc.Format()
+ return
if not Utils.IsLanguage(language):
language = mlist.preferred_language
i18n.set_language(language)
=== modified file 'NEWS'
--- NEWS 2016-07-13 17:13:18 +0000
+++ NEWS 2016-07-14 21:27:49 +0000
@@ -48,6 +48,9 @@
Bug fixes and other patches
+ - We no longer throw an uncaught TypeError with certain defective crafted
+ POST requests to Mailman's CGIs. (LP: #1602608)
+
- Scrubber links in archives are now in the list's preferred_language
rather than the poster's language. (LP: #1586505)
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
