On 2/14/19 10:11 AM, Mark Sapiro wrote: > On 2/14/19 7:13 AM, Pascal Christen wrote: >> >> Ok I got it. I've just reviewed the patch >> (https://launchpadlibrarian.net/379908276/patch.txt) for CVE-2018-13796 >> and found that line: >> >> + longest = max([len(x) for x in list_names()]) >> >> >> So at every request it gets ALL lists and saves the length of the >> longest list into "longest". This works well if you have 1 list, but >> what if you have about 10'000? Not very well guys :D
I have done two things which are committed at <https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1807> I changed the code to call list_names() only once instead of twice, and I implemented a MAX_LISTNAME_LENGTH setting which if set > 0 is taken as the longest list name and avoids calling list_names() at all. I'd still like to understand what the underlying issue is if it's not just a browser time out. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
