[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1720: Changed wrapper environment cleaning from blacklist to whitelist.

Fri, 21 Jul 2017 09:36:47 -0700 

------------------------------------------------------------
revno: 1720
fixes bug: https://launchpad.net/bugs/1705736
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Fri 2017-07-21 09:16:33 -0700
message:
  Changed wrapper environment cleaning from blacklist to whitelist.
modified:
  NEWS
  src/common.c


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'NEWS'
--- NEWS	2017-06-24 21:34:48 +0000
+++ NEWS	2017-07-21 16:16:33 +0000
@@ -21,6 +21,9 @@
 
   Bug fixes and other patches
 
+    - Changed the SETGID wrappers to only pass those items in the environment
+      that are needed by the called scripts.  (LP: #1705736)
+
     - Fixed MTA/Postfix.py to ensure that created aliases(.db) and
       virtual-mailman(.db) files are readable by Postfix and the .db files are
       owned by the Mailman user.  (LP: #1696066)

=== modified file 'src/common.c'
--- src/common.c	2006-09-11 12:13:08 +0000
+++ src/common.c	2017-07-21 16:16:33 +0000
@@ -162,20 +162,36 @@
 
 
 
-/* list of environment variables which are removed from the given
+/* list of environment variables which are kept in the given
  * environment.  Some may or may not be hand crafted and passed into
  * the execv'd environment.
  *
  * TBD: The logic of this should be inverted.  IOW, we should audit the
  * Mailman CGI code for those environment variables that are used, and
- * specifically white list them, removing all other variables.  John Viega
+ * specifically white list them, removing all other variables.
+ * MAS: This is now done.
+ *
+ * John Viega
  * also suggests imposing a maximum size just in case Python doesn't handle
  * them right (which it should because Python strings have no hard limits).
  */
-static char* killenvars[] = {
-        "PYTHONPATH=",
-        "PYTHONHOME=",
-        "PATH=",
+static char* keepenvars[] = {
+        "CONTENT_TYPE=",
+        "HOST=",
+        "HTTP_COOKIE=",
+        "HTTP_FORWARDED_FOR=",
+        "HTTP_HOST=",
+        "HTTP_X_FORWARDED_FOR=",
+        "LOGNAME=",
+        "PATH_INFO=",
+        "QUERY_STRING=",
+        "REMOTE_ADDR=",
+        "REQUEST_METHOD=",
+        "REQUEST_URI=",
+        "SCRIPT_NAME=",
+        "SERVER_NAME=",
+        "SERVER_PORT=",
+        "USER=",
         NULL
 };
 
@@ -232,11 +248,11 @@
 
         /* filter out any troublesome environment variables */
         for (i = 0, j = 0; i < envcnt; i++) {
-                char** k = &killenvars[0];
-                int keep = 1;
+                char** k = &keepenvars[0];
+                int keep = 0;
                 while (*k) {
                         if (!strncmp(*k, env[i], strlen(*k))) {
-                                keep = 0;
+                                keep = 1;
                                 break;
                         }
                         *k++;


_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to