--- mailman-2.1.5.orig/scripts/driver 2003-04-20 00:52:55.000000000 -0400
+++ /usr/src/local/mailman/mailman/scripts/driver 2004-12-27 19:38:22.000000000 -0500
@@ -1,6 +1,6 @@
# -*- python -*-
-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2004 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -28,7 +28,11 @@
# comfortable with. By setting STEALTH_MODE to 1, you disable the printing of
# this information to the web pages. This information is still, and always,
# printed in the error logs.
-STEALTH_MODE = 0
+STEALTH_MODE = 1
+
+# This will be set to the entity escaper.
+def websafe(s):
+ return s
�
@@ -53,12 +57,22 @@
�
def run_main():
+ global STEALTH_MODE, websafe
+
# These will ensure that even if something between now and the
# creation of the real logger below fails, we can still get
# *something* meaningful.
logger = None
try:
import paths
+ # When running in non-stealth mode, we need to escape entities,
+ # otherwise we're vulnerable to cross-site scripting attacks.
+ try:
+ if not STEALTH_MODE:
+ from Mailman.Utils import websafe
+ except:
+ STEALTH_MODE = 1
+ raise
# Map stderr to a logger, if possible.
from Mailman.Logging.StampedLogger import StampedLogger
logger = StampedLogger('error',
@@ -140,11 +154,13 @@
a description of what happened. Thanks!
Traceback:
'''
+ exc_info = sys.exc_info()
if traceback:
- traceback.print_exc(file=sys.stdout)
+ for line in traceback.format_exception(*exc_info):
+ print websafe(line),
else:
print '[failed to import module traceback]'
- print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
+ print '[exc: %s, var: %s]' % [websafe(x) for x in exc_info[0:2]]
print '\n\n '
else:
print '''