| 1 |
--- mailman-2.1.5.1/Mailman/Cgi/admindb.py.CVE-2006-3636 2004-04-30 18:50:42.000000000 +0200 |
| 2 |
+++ mailman-2.1.5.1/Mailman/Cgi/admindb.py 2006-08-23 12:24:06.000000000 +0200 |
| 3 |
@@ -310,7 +310,7 @@ |
| 4 |
' ' + _('Permanently ban from this list') |
| 5 |
# While the address may be a unicode, it must be ascii |
| 6 |
paddr = addr.encode('us-ascii', 'replace') |
| 7 |
- table.AddRow(['%s<br><em>%s</em>' % (paddr, fullname), |
| 8 |
+ table.AddRow(['%s<br><em>%s</em>' % (paddr, Utils.websafe(fullname)), |
| 9 |
radio, |
| 10 |
TextBox('comment-%d' % id, size=40) |
| 11 |
]) |
| 12 |
@@ -354,7 +354,7 @@ |
| 13 |
mlist.HandleRequest(id, mm_cfg.DISCARD) |
| 14 |
continue |
| 15 |
num += 1 |
| 16 |
- table.AddRow(['%s<br><em>%s</em>' % (addr, fullname), |
| 17 |
+ table.AddRow(['%s<br><em>%s</em>' % (addr, Utils.websafe(fullname)), |
| 18 |
RadioButtonArray(id, (_('Defer'), |
| 19 |
_('Approve'), |
| 20 |
_('Reject'), |
| 21 |
--- mailman-2.1.5.1/Mailman/Cgi/create.py.CVE-2006-3636 2004-02-29 18:07:51.000000000 +0100 |
| 22 |
+++ mailman-2.1.5.1/Mailman/Cgi/create.py 2006-08-23 12:24:06.000000000 +0200 |
| 23 |
@@ -187,15 +187,24 @@ |
| 24 |
mlist.Create(listname, owner, pw, langs, emailhost) |
| 25 |
finally: |
| 26 |
os.umask(oldmask) |
| 27 |
- except Errors.EmailAddressError, s: |
| 28 |
+ except Errors.EmailAddressError, e: |
| 29 |
+ if e.args: |
| 30 |
+ s = Utils.websafe(e.args[0]) |
| 31 |
+ else: |
| 32 |
+ s = Utils.websafe(owner) |
| 33 |
request_creation(doc, cgidata, |
| 34 |
_('Bad owner email address: %(s)s')) |
| 35 |
return |
| 36 |
except Errors.MMListAlreadyExistsError: |
| 37 |
+ # MAS: List already exists so we don't need to websafe it. |
| 38 |
request_creation(doc, cgidata, |
| 39 |
_('List already exists: %(listname)s')) |
| 40 |
return |
| 41 |
- except Errors.BadListNameError, s: |
| 42 |
+ except Errors.BadListNameError, e: |
| 43 |
+ if e.args: |
| 44 |
+ s = Utils.websafe(e.args[0]) |
| 45 |
+ else: |
| 46 |
+ s = Utils.websafe(listname) |
| 47 |
request_creation(doc, cgidata, |
| 48 |
_('Illegal list name: %(s)s')) |
| 49 |
return |
| 50 |
@@ -318,15 +327,17 @@ |
| 51 |
ftable.AddRow([Center(Italic(_('List Identity')))]) |
| 52 |
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2) |
| 53 |
|
| 54 |
- safelistname = Utils.websafe(cgidata.getvalue('listname', '')) |
| 55 |
+ listname = cgidata.getvalue('listname', '') |
| 56 |
+ # MAS: Don't websafe twice. TextBox does it. |
| 57 |
ftable.AddRow([Label(_('Name of list:')), |
| 58 |
- TextBox('listname', safelistname)]) |
| 59 |
+ TextBox('listname', listname)]) |
| 60 |
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) |
| 61 |
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) |
| 62 |
|
| 63 |
- safeowner = Utils.websafe(cgidata.getvalue('owner', '')) |
| 64 |
+ owner = cgidata.getvalue('owner', '') |
| 65 |
+ # MAS: Don't websafe twice. TextBox does it. |
| 66 |
ftable.AddRow([Label(_('Initial list owner address:')), |
| 67 |
- TextBox('owner', safeowner)]) |
| 68 |
+ TextBox('owner', owner)]) |
| 69 |
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) |
| 70 |
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) |
| 71 |
|
| 72 |
--- mailman-2.1.5.1/Mailman/Cgi/options.py.CVE-2006-3636 2004-02-29 17:45:27.000000000 +0100 |
| 73 |
+++ mailman-2.1.5.1/Mailman/Cgi/options.py 2006-08-23 12:24:06.000000000 +0200 |
| 74 |
@@ -652,7 +652,7 @@ |
| 75 |
|
| 76 |
fullname = Utils.uncanonstr(mlist.getMemberName(user), userlang) |
| 77 |
if fullname: |
| 78 |
- presentable_user += ', %s' % fullname |
| 79 |
+ presentable_user += ', %s' % Utils.websafe(fullname) |
| 80 |
|
| 81 |
# Do replacements |
| 82 |
replacements = mlist.GetStandardReplacements(userlang) |
| 83 |
--- mailman-2.1.5.1/Mailman/Cgi/edithtml.py.CVE-2006-3636 2002-05-22 05:00:18.000000000 +0200 |
| 84 |
+++ mailman-2.1.5.1/Mailman/Cgi/edithtml.py 2006-08-23 12:24:06.000000000 +0200 |
| 85 |
@@ -140,7 +140,8 @@ |
| 86 |
doc.AddItem('<p>') |
| 87 |
doc.AddItem('<hr>') |
| 88 |
form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name) |
| 89 |
- text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist)) |
| 90 |
+ text = Utils.maketext(template_name, raw=1, mlist=mlist) |
| 91 |
+ # MAS: Don't websafe twice. TextArea does it. |
| 92 |
form.AddItem(TextArea('html_code', text, rows=40, cols=75)) |
| 93 |
form.AddItem('<p>' + _('When you are done making changes...')) |
| 94 |
form.AddItem(SubmitButton('submit', _('Submit Changes'))) |
| 95 |
--- mailman-2.1.5.1/Mailman/Cgi/admin.py.CVE-2006-3636 2003-12-24 18:27:45.000000000 +0100 |
| 96 |
+++ mailman-2.1.5.1/Mailman/Cgi/admin.py 2006-08-23 12:25:48.000000000 +0200 |
| 97 |
@@ -1319,6 +1319,7 @@ |
| 98 |
# we display. Try uploading a file with 10k names -- it takes a while |
| 99 |
# to render the status page. |
| 100 |
for entry in entries: |
| 101 |
+ safeentry = Utils.websafe(entry) |
| 102 |
fullname, address = parseaddr(entry) |
| 103 |
# Canonicalize the full name |
| 104 |
fullname = Utils.canonstr(fullname, mlist.preferred_language) |
| 105 |
@@ -1336,17 +1337,17 @@ |
| 106 |
send_admin_notif, invitation, |
| 107 |
whence='admin mass sub') |
| 108 |
except Errors.MMAlreadyAMember: |
| 109 |
- subscribe_errors.append((entry, _('Already a member'))) |
| 110 |
+ subscribe_errors.append((safeentry, _('Already a member'))) |
| 111 |
except Errors.MMBadEmailError: |
| 112 |
if userdesc.address == '': |
| 113 |
subscribe_errors.append((_('<blank line>'), |
| 114 |
_('Bad/Invalid email address'))) |
| 115 |
else: |
| 116 |
- subscribe_errors.append((entry, |
| 117 |
+ subscribe_errors.append((safeentry, |
| 118 |
_('Bad/Invalid email address'))) |
| 119 |
except Errors.MMHostileAddress: |
| 120 |
subscribe_errors.append( |
| 121 |
- (entry, _('Hostile address (illegal characters)'))) |
| 122 |
+ (safeentry, _('Hostile address (illegal characters)'))) |
| 123 |
else: |
| 124 |
member = Utils.uncanonstr(formataddr((fullname, address))) |
| 125 |
subscribe_success.append(Utils.websafe(member)) |
| 126 |
@@ -1386,9 +1387,9 @@ |
| 127 |
addr, whence='admin mass unsub', |
| 128 |
admin_notif=send_unsub_notifications, |
| 129 |
userack=userack) |
| 130 |
- unsubscribe_success.append(addr) |
| 131 |
+ unsubscribe_success.append(Utils.websafe(addr)) |
| 132 |
except Errors.NotAMemberError: |
| 133 |
- unsubscribe_errors.append(addr) |
| 134 |
+ unsubscribe_errors.append(Utils.websafe(addr)) |
| 135 |
if unsubscribe_success: |
| 136 |
doc.AddItem(Header(5, _('Successfully Unsubscribed:'))) |
| 137 |
doc.AddItem(UnorderedList(*unsubscribe_success)) |
| 138 |
--- mailman-2.1.5.1/Mailman/Utils.py.CVE-2006-3636 2003-12-26 23:50:04.000000000 +0100 |
| 139 |
+++ mailman-2.1.5.1/Mailman/Utils.py 2006-08-23 12:24:06.000000000 +0200 |
| 140 |
@@ -201,7 +201,7 @@ |
| 141 |
_badchars = re.compile(r'[][()<>|;^,/\200-\377]') |
| 142 |
|
| 143 |
def ValidateEmail(s): |
| 144 |
- """Verify that the an email address isn't grossly evil.""" |
| 145 |
+ """Verify that an email address isn't grossly evil.""" |
| 146 |
# Pretty minimal, cheesy check. We could do better... |
| 147 |
if not s or s.count(' ') > 0: |
| 148 |
raise Errors.MMBadEmailError |
| 149 |
--- mailman-2.1.5.1/Mailman/htmlformat.py.CVE-2006-3636 2003-09-22 04:58:13.000000000 +0200 |
| 150 |
+++ mailman-2.1.5.1/Mailman/htmlformat.py 2006-08-23 12:24:06.000000000 +0200 |
| 151 |
@@ -448,7 +448,11 @@ |
| 152 |
|
| 153 |
class TextBox(InputObj): |
| 154 |
def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH): |
| 155 |
- InputObj.__init__(self, name, "TEXT", value, checked=0, size=size) |
| 156 |
+ if isinstance(value, str): |
| 157 |
+ safevalue = Utils.websafe(value) |
| 158 |
+ else: |
| 159 |
+ safevalue = value |
| 160 |
+ InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size) |
| 161 |
|
| 162 |
class Hidden(InputObj): |
| 163 |
def __init__(self, name, value=''): |
| 164 |
@@ -457,8 +461,12 @@ |
| 165 |
class TextArea: |
| 166 |
def __init__(self, name, text='', rows=None, cols=None, wrap='soft', |
| 167 |
readonly=0): |
| 168 |
+ if isinstance(text, str): |
| 169 |
+ safetext = Utils.websafe(text) |
| 170 |
+ else: |
| 171 |
+ safetext = text |
| 172 |
self.name = name |
| 173 |
- self.text = text |
| 174 |
+ self.text = safetext |
| 175 |
self.rows = rows |
| 176 |
self.cols = cols |
| 177 |
self.wrap = wrap |
| 178 |
--- mailman-2.1.5.1/Mailman/Gui/General.py.CVE-2006-3636 2004-02-17 20:27:46.000000000 +0100 |
| 179 |
+++ mailman-2.1.5.1/Mailman/Gui/General.py 2006-08-23 12:24:06.000000000 +0200 |
| 180 |
@@ -433,13 +433,13 @@ |
| 181 |
GUIBase._setValue(self, mlist, property, val, doc) |
| 182 |
|
| 183 |
def _escape(self, property, value): |
| 184 |
- # The 'info' property allows HTML, but lets sanitize it to avoid XSS |
| 185 |
+ # The 'info' property allows HTML, but let's sanitize it to avoid XSS |
| 186 |
# exploits. Everything else should be fully escaped. |
| 187 |
if property <> 'info': |
| 188 |
return GUIBase._escape(self, property, value) |
| 189 |
# Sanitize <script> and </script> tags but nothing else. Not the best |
| 190 |
# solution, but expedient. |
| 191 |
- return re.sub(r'<([/]?script.*?)>', r'<\1>', value) |
| 192 |
+ return re.sub(r'(?i)<([/]?script.*?)>', r'<\1>', value) |
| 193 |
|
| 194 |
def _postValidate(self, mlist, doc): |
| 195 |
if not mlist.reply_to_address.strip() and \ |
| 196 |
--- mailman-2.1.5.1/Mailman/HTMLFormatter.py.CVE-2006-3636 2003-09-29 17:01:22.000000000 +0200 |
| 197 |
+++ mailman-2.1.5.1/Mailman/HTMLFormatter.py 2006-08-23 12:24:06.000000000 +0200 |
| 198 |
@@ -332,8 +332,12 @@ |
| 199 |
return '</FORM>' |
| 200 |
|
| 201 |
def FormatBox(self, name, size=20, value=''): |
| 202 |
+ if isinstance(value, str): |
| 203 |
+ safevalue = Utils.websafe(value) |
| 204 |
+ else: |
| 205 |
+ safevalue = value |
| 206 |
return '<INPUT type="Text" name="%s" size="%d" value="%s">' % ( |
| 207 |
- name, size, value) |
| 208 |
+ name, size, safevalue) |
| 209 |
|
| 210 |
def FormatSecureBox(self, name): |
| 211 |
return '<INPUT type="Password" name="%s" size="15">' % name |
Parent Directory
| 
Revision Log
| 
Revision Graph
