------------------------------------------------------------
revno: 1698
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Thu 2017-03-30 12:20:45 -0700
message:
Fixed unexploitable XSS attach via crafted HTTP Host: header.
modified:
Mailman/Utils.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2016-10-29 17:05:15 +0000
+++ Mailman/Utils.py 2017-03-30 19:20:45 +0000
@@ -759,7 +759,7 @@
if port and host.endswith(':' + port):
host = host[:-len(port)-1]
if mm_cfg.VIRTUAL_HOST_OVERVIEW and host:
- return host.lower()
+ return websafe(host.lower())
else:
# See the note in Defaults.py concerning DEFAULT_URL
# vs. DEFAULT_URL_HOST.
=== modified file 'NEWS'
--- NEWS 2017-03-16 03:39:27 +0000
+++ NEWS 2017-03-30 19:20:45 +0000
@@ -7,6 +7,12 @@
2.1.24 (xx-xxx-xxxx)
+ Security
+
+ - A most likely unexploitable XSS attach that relies on the Mailman web
+ server passing a crafted Host: header to the CGI environment has been
+ fixed. Apache for one is not vulnerable. Thanks to Alqnas Eslam.
+
New Features
- cron/senddigests has a new -e/--exceptlist option to send pending
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
