| 1 |
brianr |
1.1 |
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in |
| 2 |
|
|
index 8e42f54..e79f454 100755 |
| 3 |
|
|
--- a/Mailman/Defaults.py.in |
| 4 |
|
|
+++ b/Mailman/Defaults.py.in |
| 5 |
|
|
@@ -111,7 +111,7 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' |
| 6 |
|
|
|
| 7 |
|
|
# A Python regular expression character class which defines the characters |
| 8 |
|
|
# allowed in list names. Lists cannot be created with names containing any |
| 9 |
|
|
-# character that doesn't match this class. |
| 10 |
|
|
+# character that doesn't match this class. Do not include '/' in this list. |
| 11 |
|
|
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' |
| 12 |
|
|
|
| 13 |
|
|
|
| 14 |
|
|
diff --git a/Mailman/Utils.py b/Mailman/Utils.py |
| 15 |
|
|
index 8021942..231f72c 100644 |
| 16 |
|
|
--- a/Mailman/Utils.py |
| 17 |
|
|
+++ b/Mailman/Utils.py |
| 18 |
|
|
@@ -100,6 +100,12 @@ def list_exists(listname): |
| 19 |
|
|
# |
| 20 |
|
|
# The former two are for 2.1alpha3 and beyond, while the latter two are |
| 21 |
|
|
# for all earlier versions. |
| 22 |
|
|
+ # |
| 23 |
|
|
+ # But first ensure the list name doesn't contain a path traversal |
| 24 |
|
|
+ # attack. |
| 25 |
|
|
+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: |
| 26 |
|
|
+ syslog('mischief', 'Hostile listname: %s', listname) |
| 27 |
|
|
+ return False |
| 28 |
|
|
basepath = Site.get_listpath(listname) |
| 29 |
|
|
for ext in ('.pck', '.pck.last', '.db', '.db.last'): |
| 30 |
|
|
dbfile = os.path.join(basepath, 'config' + ext) |
Parent Directory
| 
Revision Log
| 
Revision Graph
