[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1796: Truncate long invalid list names in web error messages.

Mon, 23 Jul 2018 07:14:50 -0700 

------------------------------------------------------------
revno: 1796
fixes bug: https://launchpad.net/bugs/1780874
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Mon 2018-07-23 07:07:29 -0700
message:
  Truncate long invalid list names in web error messages.
modified:
  Mailman/Utils.py
  NEWS


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2018-07-11 06:52:22 +0000
+++ Mailman/Utils.py	2018-07-23 14:07:29 +0000
@@ -280,17 +280,28 @@
 def GetPathPieces(envar='PATH_INFO'):
     path = os.environ.get(envar)
     if path:
+        remote = os.environ.get('HTTP_FORWARDED_FOR',
+                 os.environ.get('HTTP_X_FORWARDED_FOR',
+                 os.environ.get('REMOTE_ADDR',
+                                'unidentified origin')))
         if CRNLpat.search(path):
             path = CRNLpat.split(path)[0]
-            remote = os.environ.get('HTTP_FORWARDED_FOR',
-                     os.environ.get('HTTP_X_FORWARDED_FOR',
-                     os.environ.get('REMOTE_ADDR',
-                                    'unidentified origin')))
             syslog('error',
                 'Warning: Possible malformed path attack domain=%s remote=%s',
                    get_domain(),
                    remote)
-        return [p for p in path.split('/') if p]
+        # Check for listname injections that won't be websafed.
+        pieces = [p for p in path.split('/') if p]
+        # Get the longest listname or 20 if none.
+        if list_names():
+            longest = max([len(x) for x in list_names()])
+        else:
+            longest = 20
+        if len(pieces[0]) > longest:
+            syslog('mischief',
+               'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
+            pieces[0] = pieces[0][:longest] + '...'
+        return pieces
     return None
 
 

=== modified file 'NEWS'
--- NEWS	2018-07-19 16:39:12 +0000
+++ NEWS	2018-07-23 14:07:29 +0000
@@ -5,7 +5,12 @@
 
 Here is a history of user visible changes to Mailman.
 
-2.1.28 (xx-xxx-xxxx)
+2.1.28 (23-Jul-2018)
+
+  Security
+ 
+    - A content spoofing vulnerability with invalid list name messages in
+      the web UI has been fixed.  CVE-2018-13796  (LP: #1780874)
 
   New Features
 


_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to