------------------------------------------------------------
revno: 1743
fixes bug: https://launchpad.net/bugs/1747209
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Sun 2018-02-04 08:41:19 -0800
message:
  Fix XSS and info leak in options CGI - CVE-2018-5950
modified:
  Mailman/Cgi/options.py
  NEWS


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2017-06-08 02:51:02 +0000
+++ Mailman/Cgi/options.py	2018-02-04 16:41:19 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2017 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -200,20 +200,6 @@
     doc.set_language(userlang)
     i18n.set_language(userlang)
 
-    # See if this is VARHELP on topics.
-    varhelp = None
-    if cgidata.has_key('VARHELP'):
-        varhelp = cgidata['VARHELP'].value
-    elif os.environ.get('QUERY_STRING'):
-        # POST methods, even if their actions have a query string, don't get
-        # put into FieldStorage's keys :-(
-        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
-        if qs and type(qs) == types.ListType:
-            varhelp = qs[0]
-    if varhelp:
-        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
-        return
-
     # Are we processing an unsubscription request from the login screen?
     msgc = _('If you are a list member, a confirmation email has been sent.')
     msga = _("""If you are a list member, your unsubscription request has been
@@ -340,6 +326,22 @@
         print doc.Format()
         return
 
+    # See if this is VARHELP on topics.
+    varhelp = None
+    if cgidata.has_key('VARHELP'):
+        varhelp = cgidata['VARHELP'].value
+    elif os.environ.get('QUERY_STRING'):
+        # POST methods, even if their actions have a query string, don't get
+        # put into FieldStorage's keys :-(
+        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+        if qs and type(qs) == types.ListType:
+            varhelp = qs[0]
+    if varhelp:
+        # Sanitize the topic name.
+        varhelp = re.sub('<.*', '', varhelp)
+        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+        return
+
     if cgidata.has_key('logout'):
         print mlist.ZapCookie(mm_cfg.AuthUser, user)
         loginpage(mlist, doc, user, language)

=== modified file 'NEWS'
--- NEWS	2018-01-30 16:21:50 +0000
+++ NEWS	2018-02-04 16:41:19 +0000
@@ -5,7 +5,15 @@
 
 Here is a history of user visible changes to Mailman.
 
-2.1.26 (xx-xxx-xxxx)
+2.1.26 (04-Feb-2018)
+
+  Security
+
+    - An XSS vulnerability in the user options CGI could allow a crafted URL
+      to execute arbitrary javascript in a user's browser.  A related issue
+      could expose information on a user's options page without requiring
+      login.  These are fixed.  Thanks to Calum Hutton for the report.
+      CVE-2018-5950  (LP: #1747209)
 
   New Features
 

_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to