mailman/contribs7/mailman-2.1-CAN-2004-1177.patch

--- mailman-2.1.5.orig/scripts/driver   2003-04-20 00:52:55.000000000 -0400
+++ /usr/src/local/mailman/mailman/scripts/driver       2004-12-27 19:38:22.000000000 -0500
@@ -1,6 +1,6 @@
 # -*- python -*-
 
-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2004 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -28,7 +28,11 @@
 # comfortable with.  By setting STEALTH_MODE to 1, you disable the printing of
 # this information to the web pages.  This information is still, and always,
 # printed in the error logs.
-STEALTH_MODE = 0
+STEALTH_MODE = 1
+
+# This will be set to the entity escaper.
+def websafe(s):
+    return s
 
 
 
@@ -53,12 +57,22 @@
 
 
 def run_main():
+    global STEALTH_MODE, websafe
+
     # These will ensure that even if something between now and the
     # creation of the real logger below fails, we can still get
     # *something* meaningful.
     logger = None
     try:
         import paths
+        # When running in non-stealth mode, we need to escape entities,
+        # otherwise we're vulnerable to cross-site scripting attacks.
+        try:
+            if not STEALTH_MODE:
+                from Mailman.Utils import websafe
+        except:
+            STEALTH_MODE = 1
+            raise
         # Map stderr to a logger, if possible.
         from Mailman.Logging.StampedLogger import StampedLogger
         logger = StampedLogger('error',
@@ -140,11 +154,13 @@
 a description of what happened.  Thanks!
 
 <h4>Traceback:</h4><p><pre>'''
+        exc_info = sys.exc_info()
         if traceback:
-            traceback.print_exc(file=sys.stdout)
+            for line in traceback.format_exception(*exc_info):
+                print websafe(line),
         else:
             print '[failed to import module traceback]'
-            print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
+            print '[exc: %s, var: %s]' % [websafe(x) for x in exc_info[0:2]]
         print '\n\n</pre></body>'
     else:
         print '''<p>Please inform the webmaster for this site of this
@@ -212,7 +228,9 @@
 '''
         if os:
             for k, v in os.environ.items():
-                print '<tr><td><tt>', k, '</tt></td><td>', v, '</td></tr>'
+                print '<tr><td><tt>', websafe(k), \
+                      '</tt></td><td>', websafe(v), \
+                      '</td></tr>'
             print '</table>'
         else:
             print '<p><hr>[failed to import module os]'
1	slords	1.1	--- mailman-2.1.5.orig/scripts/driver 2003-04-20 00:52:55.000000000 -0400
2			+++ /usr/src/local/mailman/mailman/scripts/driver 2004-12-27 19:38:22.000000000 -0500
3			@@ -1,6 +1,6 @@
4			# -- python --
5
6			-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
7			+# Copyright (C) 1998-2004 by the Free Software Foundation, Inc.
8			#
9			# This program is free software; you can redistribute it and/or
10			# modify it under the terms of the GNU General Public License
11			@@ -28,7 +28,11 @@
12			# comfortable with. By setting STEALTH_MODE to 1, you disable the printing of
13			# this information to the web pages. This information is still, and always,
14			# printed in the error logs.
15			-STEALTH_MODE = 0
16			+STEALTH_MODE = 1
17			+
18			+# This will be set to the entity escaper.
19			+def websafe(s):
20			+ return s
21
22
23
24			@@ -53,12 +57,22 @@
25
26
27			def run_main():
28			+ global STEALTH_MODE, websafe
29			+
30			# These will ensure that even if something between now and the
31			# creation of the real logger below fails, we can still get
32			# something meaningful.
33			logger = None
34			try:
35			import paths
36			+ # When running in non-stealth mode, we need to escape entities,
37			+ # otherwise we're vulnerable to cross-site scripting attacks.
38			+ try:
39			+ if not STEALTH_MODE:
40			+ from Mailman.Utils import websafe
41			+ except:
42			+ STEALTH_MODE = 1
43			+ raise
44			# Map stderr to a logger, if possible.
45			from Mailman.Logging.StampedLogger import StampedLogger
46			logger = StampedLogger('error',
47			@@ -140,11 +154,13 @@
48			a description of what happened. Thanks!
49
50			<h4>Traceback:</h4><p><pre>'''
51			+ exc_info = sys.exc_info()
52			if traceback:
53			- traceback.print_exc(file=sys.stdout)
54			+ for line in traceback.format_exception(*exc_info):
55			+ print websafe(line),
56			else:
57			print '[failed to import module traceback]'
58			- print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
59			+ print '[exc: %s, var: %s]' % [websafe(x) for x in exc_info[0:2]]
60			print '\n\n</pre></body>'
61			else:
62			print '''<p>Please inform the webmaster for this site of this
63			@@ -212,7 +228,9 @@
64			'''
65			if os:
66			for k, v in os.environ.items():
67			- print '<tr><td><tt>', k, '</tt></td><td>', v, '</td></tr>'
68			+ print '<tr><td><tt>', websafe(k), \
69			+ '</tt></td><td>', websafe(v), \
70			+ '</td></tr>'
71			print '</table>'
72			else:
73			print '<p><hr>[failed to import module os]'