--- mailman-2.1.5.orig/scripts/driver 2003-04-20 00:52:55.000000000 -0400 +++ /usr/src/local/mailman/mailman/scripts/driver 2004-12-27 19:38:22.000000000 -0500 @@ -1,6 +1,6 @@ # -*- python -*- -# Copyright (C) 1998-2003 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2004 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -28,7 +28,11 @@ # comfortable with. By setting STEALTH_MODE to 1, you disable the printing of # this information to the web pages. This information is still, and always, # printed in the error logs. -STEALTH_MODE = 0 +STEALTH_MODE = 1 + +# This will be set to the entity escaper. +def websafe(s): + return s @@ -53,12 +57,22 @@ def run_main(): + global STEALTH_MODE, websafe + # These will ensure that even if something between now and the # creation of the real logger below fails, we can still get # *something* meaningful. logger = None try: import paths + # When running in non-stealth mode, we need to escape entities, + # otherwise we're vulnerable to cross-site scripting attacks. + try: + if not STEALTH_MODE: + from Mailman.Utils import websafe + except: + STEALTH_MODE = 1 + raise # Map stderr to a logger, if possible. from Mailman.Logging.StampedLogger import StampedLogger logger = StampedLogger('error', @@ -140,11 +154,13 @@ a description of what happened. Thanks!
''' + exc_info = sys.exc_info() if traceback: - traceback.print_exc(file=sys.stdout) + for line in traceback.format_exception(*exc_info): + print websafe(line), else: print '[failed to import module traceback]' - print '[exc: %s, var: %s]' % sys.exc_info()[0:2] + print '[exc: %s, var: %s]' % [websafe(x) for x in exc_info[0:2]] print '\n\n