------------------------------------------------------------
revno: 1743
fixes bug: https://launchpad.net/bugs/1747209
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Sun 2018-02-04 08:41:19 -0800
message:
Fix XSS and info leak in options CGI - CVE-2018-5950
modified:
Mailman/Cgi/options.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py 2017-06-08 02:51:02 +0000
+++ Mailman/Cgi/options.py 2018-02-04 16:41:19 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2017 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -200,20 +200,6 @@
doc.set_language(userlang)
i18n.set_language(userlang)
- # See if this is VARHELP on topics.
- varhelp = None
- if cgidata.has_key('VARHELP'):
- varhelp = cgidata['VARHELP'].value
- elif os.environ.get('QUERY_STRING'):
- # POST methods, even if their actions have a query string, don't get
- # put into FieldStorage's keys :-(
- qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
- if qs and type(qs) == types.ListType:
- varhelp = qs[0]
- if varhelp:
- topic_details(mlist, doc, user, cpuser, userlang, varhelp)
- return
-
# Are we processing an unsubscription request from the login screen?
msgc = _('If you are a list member, a confirmation email has been sent.')
msga = _("""If you are a list member, your unsubscription request has been
@@ -340,6 +326,22 @@
print doc.Format()
return
+ # See if this is VARHELP on topics.
+ varhelp = None
+ if cgidata.has_key('VARHELP'):
+ varhelp = cgidata['VARHELP'].value
+ elif os.environ.get('QUERY_STRING'):
+ # POST methods, even if their actions have a query string, don't get
+ # put into FieldStorage's keys :-(
+ qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+ if qs and type(qs) == types.ListType:
+ varhelp = qs[0]
+ if varhelp:
+ # Sanitize the topic name.
+ varhelp = re.sub('<.*', '', varhelp)
+ topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+ return
+
if cgidata.has_key('logout'):
print mlist.ZapCookie(mm_cfg.AuthUser, user)
loginpage(mlist, doc, user, language)
=== modified file 'NEWS'
--- NEWS 2018-01-30 16:21:50 +0000
+++ NEWS 2018-02-04 16:41:19 +0000
@@ -5,7 +5,15 @@
Here is a history of user visible changes to Mailman.
-2.1.26 (xx-xxx-xxxx)
+2.1.26 (04-Feb-2018)
+
+ Security
+
+ - An XSS vulnerability in the user options CGI could allow a crafted URL
+ to execute arbitrary javascript in a user's browser. A related issue
+ could expose information on a user's options page without requiring
+ login. These are fixed. Thanks to Calum Hutton for the report.
+ CVE-2018-5950 (LP: #1747209)
New Features
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
