------------------------------------------------------------ revno: 1807 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Fri 2019-03-01 18:24:14 -0800 message: Implement MAX_LISTNAME_LENGTH to avoid calculating on each web access. modified: Mailman/Defaults.py.in Mailman/Utils.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Defaults.py.in' --- Mailman/Defaults.py.in 2018-07-12 03:14:02 +0000 +++ Mailman/Defaults.py.in 2019-03-02 02:24:14 +0000 @@ -166,6 +166,15 @@ # character that doesn't match this class. Do not include '/' in this list. ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' +# The number of characters in the longest listname in the installation. The +# fix for LP: #1780874 truncates list names in web URLs to this length to avoid +# a content spoofing vulnerability. If this is left at its default value of +# 0, the length of the longest listname is calculated on every web access. +# This can have performance implications in installations with a very large +# number of lists. To use this feature to avoid the calculation, set this to +# a number equal to the length of the longest expected valid list name. +MAX_LISTNAME_LENGTH = 0 + # Shall the user's real names be displayed along with their email addresses # in list rosters? Defaults to No to preserve prior behavior. ROSTER_DISPLAY_REALNAME = No === modified file 'Mailman/Utils.py' --- Mailman/Utils.py 2019-01-29 05:48:13 +0000 +++ Mailman/Utils.py 2019-03-02 02:24:14 +0000 @@ -292,11 +292,16 @@ remote) # Check for listname injections that won't be websafed. pieces = [p for p in path.split('/') if p] - # Get the longest listname or 20 if none. - if list_names(): - longest = max([len(x) for x in list_names()]) + # Get the longest listname or 20 if none or use MAX_LISTNAME_LENGTH if + # provided > 0. + if mm_cfg.MAX_LISTNAME_LENGTH > 0: + longest = mm_cfg.MAX_LISTNAME_LENGTH else: - longest = 20 + lst_names = list_names() + if lst_names: + longest = max([len(x) for x in lst_names]) + else: + longest = 20 if pieces and len(pieces[0]) > longest: syslog('mischief', 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) === modified file 'NEWS' --- NEWS 2018-12-30 17:40:15 +0000 +++ NEWS 2019-03-02 02:24:14 +0000 @@ -14,6 +14,13 @@ From: addresses listed or matching listed regexps. This can be used to modify mail to addresses that don't accept external mail From: themselves. + + - There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874 + obtains a list of the names of all the all the lists in the installation + in order to determine the maximum length of a legitimate list name. It + does this on every web access and on sites with a very large number of + lists, this can have performance implications. See the description in + Defaults.py for more information. Bug Fixes and other patches
_______________________________________________ Mailman-checkins mailing list Mailman-checkins@python.org Unsubscribe: https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org