mailman/contribs7/mailman-2.1-CVE-2006-3636.patch

--- mailman-2.1.5.1/Mailman/Cgi/admindb.py.CVE-2006-3636        2004-04-30 18:50:42.000000000 +0200
+++ mailman-2.1.5.1/Mailman/Cgi/admindb.py      2006-08-23 12:24:06.000000000 +0200
@@ -310,7 +310,7 @@
                      '&nbsp;' + _('Permanently ban from this list')
         # While the address may be a unicode, it must be ascii
         paddr = addr.encode('us-ascii', 'replace')
-        table.AddRow(['%s<br><em>%s</em>' % (paddr, fullname),
+        table.AddRow(['%s<br><em>%s</em>' % (paddr, Utils.websafe(fullname)),
                       radio,
                       TextBox('comment-%d' % id, size=40)
                       ])
@@ -354,7 +354,7 @@
             mlist.HandleRequest(id, mm_cfg.DISCARD)
             continue
         num += 1
-        table.AddRow(['%s<br><em>%s</em>' % (addr, fullname),
+        table.AddRow(['%s<br><em>%s</em>' % (addr, Utils.websafe(fullname)),
                       RadioButtonArray(id, (_('Defer'),
                                             _('Approve'),
                                             _('Reject'),
--- mailman-2.1.5.1/Mailman/Cgi/create.py.CVE-2006-3636 2004-02-29 18:07:51.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/create.py       2006-08-23 12:24:06.000000000 +0200
@@ -187,15 +187,24 @@
                 mlist.Create(listname, owner, pw, langs, emailhost)
             finally:
                 os.umask(oldmask)
-        except Errors.EmailAddressError, s:
+        except Errors.EmailAddressError, e:
+            if e.args:
+                s = Utils.websafe(e.args[0])
+            else:
+                s = Utils.websafe(owner)
             request_creation(doc, cgidata,
                              _('Bad owner email address: %(s)s'))
             return
         except Errors.MMListAlreadyExistsError:
+            # MAS: List already exists so we don't need to websafe it.
             request_creation(doc, cgidata,
                              _('List already exists: %(listname)s'))
             return
-        except Errors.BadListNameError, s:
+        except Errors.BadListNameError, e:
+            if e.args:
+                s = Utils.websafe(e.args[0])
+            else:
+                s = Utils.websafe(listname)
             request_creation(doc, cgidata,
                              _('Illegal list name: %(s)s'))
             return
@@ -318,15 +327,17 @@
     ftable.AddRow([Center(Italic(_('List Identity')))])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2)
 
-    safelistname = Utils.websafe(cgidata.getvalue('listname', ''))
+    listname = cgidata.getvalue('listname', '')
+    # MAS: Don't websafe twice.  TextBox does it.
     ftable.AddRow([Label(_('Name of list:')),
-                   TextBox('listname', safelistname)])
+                   TextBox('listname', listname)])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
-    safeowner = Utils.websafe(cgidata.getvalue('owner', ''))
+    owner = cgidata.getvalue('owner', '')
+    # MAS: Don't websafe twice.  TextBox does it.
     ftable.AddRow([Label(_('Initial list owner address:')),
-                   TextBox('owner', safeowner)])
+                   TextBox('owner', owner)])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
--- mailman-2.1.5.1/Mailman/Cgi/options.py.CVE-2006-3636        2004-02-29 17:45:27.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/options.py      2006-08-23 12:24:06.000000000 +0200
@@ -652,7 +652,7 @@
 
     fullname = Utils.uncanonstr(mlist.getMemberName(user), userlang)
     if fullname:
-        presentable_user += ', %s' % fullname
+        presentable_user += ', %s' % Utils.websafe(fullname)
 
     # Do replacements
     replacements = mlist.GetStandardReplacements(userlang)
--- mailman-2.1.5.1/Mailman/Cgi/edithtml.py.CVE-2006-3636       2002-05-22 05:00:18.000000000 +0200
+++ mailman-2.1.5.1/Mailman/Cgi/edithtml.py     2006-08-23 12:24:06.000000000 +0200
@@ -140,7 +140,8 @@
     doc.AddItem('<p>')
     doc.AddItem('<hr>')
     form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name)
-    text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist))
+    text = Utils.maketext(template_name, raw=1, mlist=mlist)
+    # MAS: Don't websafe twice.  TextArea does it.
     form.AddItem(TextArea('html_code', text, rows=40, cols=75))
     form.AddItem('<p>' + _('When you are done making changes...'))
     form.AddItem(SubmitButton('submit', _('Submit Changes')))
--- mailman-2.1.5.1/Mailman/Cgi/admin.py.CVE-2006-3636  2003-12-24 18:27:45.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/admin.py        2006-08-23 12:25:48.000000000 +0200
@@ -1319,6 +1319,7 @@
         # we display.  Try uploading a file with 10k names -- it takes a while
         # to render the status page.
         for entry in entries:
+            safeentry = Utils.websafe(entry)
             fullname, address = parseaddr(entry)
             # Canonicalize the full name
             fullname = Utils.canonstr(fullname, mlist.preferred_language)
@@ -1336,17 +1337,17 @@
                                             send_admin_notif, invitation,
                                             whence='admin mass sub')
             except Errors.MMAlreadyAMember:
-                subscribe_errors.append((entry, _('Already a member')))
+                subscribe_errors.append((safeentry, _('Already a member')))
             except Errors.MMBadEmailError:
                 if userdesc.address == '':
                     subscribe_errors.append((_('&lt;blank line&gt;'),
                                              _('Bad/Invalid email address')))
                 else:
-                    subscribe_errors.append((entry,
+                    subscribe_errors.append((safeentry,
                                              _('Bad/Invalid email address')))
             except Errors.MMHostileAddress:
                 subscribe_errors.append(
-                    (entry, _('Hostile address (illegal characters)')))
+                    (safeentry, _('Hostile address (illegal characters)')))
             else:
                 member = Utils.uncanonstr(formataddr((fullname, address)))
                 subscribe_success.append(Utils.websafe(member))
@@ -1386,9 +1387,9 @@
                     addr, whence='admin mass unsub',
                     admin_notif=send_unsub_notifications,
                     userack=userack)
-                unsubscribe_success.append(addr)
+                unsubscribe_success.append(Utils.websafe(addr))
             except Errors.NotAMemberError:
-                unsubscribe_errors.append(addr)
+                unsubscribe_errors.append(Utils.websafe(addr))
         if unsubscribe_success:
             doc.AddItem(Header(5, _('Successfully Unsubscribed:')))
             doc.AddItem(UnorderedList(*unsubscribe_success))
--- mailman-2.1.5.1/Mailman/Utils.py.CVE-2006-3636      2003-12-26 23:50:04.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Utils.py    2006-08-23 12:24:06.000000000 +0200
@@ -201,7 +201,7 @@
 _badchars = re.compile(r'[][()<>|;^,/\200-\377]')
 
 def ValidateEmail(s):
-    """Verify that the an email address isn't grossly evil."""
+    """Verify that an email address isn't grossly evil."""
     # Pretty minimal, cheesy check.  We could do better...
     if not s or s.count(' ') > 0:
         raise Errors.MMBadEmailError
--- mailman-2.1.5.1/Mailman/htmlformat.py.CVE-2006-3636 2003-09-22 04:58:13.000000000 +0200
+++ mailman-2.1.5.1/Mailman/htmlformat.py       2006-08-23 12:24:06.000000000 +0200
@@ -448,7 +448,11 @@
 
 class TextBox(InputObj):
     def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH):
-        InputObj.__init__(self, name, "TEXT", value, checked=0, size=size)
+        if isinstance(value, str):
+            safevalue = Utils.websafe(value)
+        else:
+            safevalue = value
+        InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size)
 
 class Hidden(InputObj):
     def __init__(self, name, value=''):
@@ -457,8 +461,12 @@
 class TextArea:
     def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
                  readonly=0):
+        if isinstance(text, str):
+            safetext = Utils.websafe(text)
+        else:
+            safetext = text
         self.name = name
-        self.text = text
+        self.text = safetext
         self.rows = rows
         self.cols = cols
         self.wrap = wrap
--- mailman-2.1.5.1/Mailman/Gui/General.py.CVE-2006-3636        2004-02-17 20:27:46.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Gui/General.py      2006-08-23 12:24:06.000000000 +0200
@@ -433,13 +433,13 @@
             GUIBase._setValue(self, mlist, property, val, doc)
 
     def _escape(self, property, value):
-        # The 'info' property allows HTML, but lets sanitize it to avoid XSS
+        # The 'info' property allows HTML, but let's sanitize it to avoid XSS
         # exploits.  Everything else should be fully escaped.
         if property <> 'info':
             return GUIBase._escape(self, property, value)
         # Sanitize <script> and </script> tags but nothing else.  Not the best
         # solution, but expedient.
-        return re.sub(r'<([/]?script.*?)>', r'&lt;\1&gt;', value)
+        return re.sub(r'(?i)<([/]?script.*?)>', r'&lt;\1&gt;', value)
 
     def _postValidate(self, mlist, doc):
         if not mlist.reply_to_address.strip() and \
--- mailman-2.1.5.1/Mailman/HTMLFormatter.py.CVE-2006-3636      2003-09-29 17:01:22.000000000 +0200
+++ mailman-2.1.5.1/Mailman/HTMLFormatter.py    2006-08-23 12:24:06.000000000 +0200
@@ -332,8 +332,12 @@
         return '</FORM>'
 
     def FormatBox(self, name, size=20, value=''):
+        if isinstance(value, str):
+            safevalue = Utils.websafe(value)
+        else:
+            safevalue = value
         return '<INPUT type="Text" name="%s" size="%d" value="%s">' % (
-            name, size, value)
+            name, size, safevalue)
 
     def FormatSecureBox(self, name):
         return '<INPUT type="Password" name="%s" size="15">' % name
1	slords	1.1	--- mailman-2.1.5.1/Mailman/Cgi/admindb.py.CVE-2006-3636 2004-04-30 18:50:42.000000000 +0200
2			+++ mailman-2.1.5.1/Mailman/Cgi/admindb.py 2006-08-23 12:24:06.000000000 +0200
3			@@ -310,7 +310,7 @@
4			' ' + _('Permanently ban from this list')
5			# While the address may be a unicode, it must be ascii
6			paddr = addr.encode('us-ascii', 'replace')
7			- table.AddRow(['%s<br><em>%s</em>' % (paddr, fullname),
8			+ table.AddRow(['%s<br><em>%s</em>' % (paddr, Utils.websafe(fullname)),
9			radio,
10			TextBox('comment-%d' % id, size=40)
11			])
12			@@ -354,7 +354,7 @@
13			mlist.HandleRequest(id, mm_cfg.DISCARD)
14			continue
15			num += 1
16			- table.AddRow(['%s<br><em>%s</em>' % (addr, fullname),
17			+ table.AddRow(['%s<br><em>%s</em>' % (addr, Utils.websafe(fullname)),
18			RadioButtonArray(id, (_('Defer'),
19			_('Approve'),
20			_('Reject'),
21			--- mailman-2.1.5.1/Mailman/Cgi/create.py.CVE-2006-3636 2004-02-29 18:07:51.000000000 +0100
22			+++ mailman-2.1.5.1/Mailman/Cgi/create.py 2006-08-23 12:24:06.000000000 +0200
23			@@ -187,15 +187,24 @@
24			mlist.Create(listname, owner, pw, langs, emailhost)
25			finally:
26			os.umask(oldmask)
27			- except Errors.EmailAddressError, s:
28			+ except Errors.EmailAddressError, e:
29			+ if e.args:
30			+ s = Utils.websafe(e.args[0])
31			+ else:
32			+ s = Utils.websafe(owner)
33			request_creation(doc, cgidata,
34			_('Bad owner email address: %(s)s'))
35			return
36			except Errors.MMListAlreadyExistsError:
37			+ # MAS: List already exists so we don't need to websafe it.
38			request_creation(doc, cgidata,
39			_('List already exists: %(listname)s'))
40			return
41			- except Errors.BadListNameError, s:
42			+ except Errors.BadListNameError, e:
43			+ if e.args:
44			+ s = Utils.websafe(e.args[0])
45			+ else:
46			+ s = Utils.websafe(listname)
47			request_creation(doc, cgidata,
48			_('Illegal list name: %(s)s'))
49			return
50			@@ -318,15 +327,17 @@
51			ftable.AddRow([Center(Italic(_('List Identity')))])
52			ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2)
53
54			- safelistname = Utils.websafe(cgidata.getvalue('listname', ''))
55			+ listname = cgidata.getvalue('listname', '')
56			+ # MAS: Don't websafe twice. TextBox does it.
57			ftable.AddRow([Label(_('Name of list:')),
58			- TextBox('listname', safelistname)])
59			+ TextBox('listname', listname)])
60			ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
61			ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
62
63			- safeowner = Utils.websafe(cgidata.getvalue('owner', ''))
64			+ owner = cgidata.getvalue('owner', '')
65			+ # MAS: Don't websafe twice. TextBox does it.
66			ftable.AddRow([Label(_('Initial list owner address:')),
67			- TextBox('owner', safeowner)])
68			+ TextBox('owner', owner)])
69			ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
70			ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
71
72			--- mailman-2.1.5.1/Mailman/Cgi/options.py.CVE-2006-3636 2004-02-29 17:45:27.000000000 +0100
73			+++ mailman-2.1.5.1/Mailman/Cgi/options.py 2006-08-23 12:24:06.000000000 +0200
74			@@ -652,7 +652,7 @@
75
76			fullname = Utils.uncanonstr(mlist.getMemberName(user), userlang)
77			if fullname:
78			- presentable_user += ', %s' % fullname
79			+ presentable_user += ', %s' % Utils.websafe(fullname)
80
81			# Do replacements
82			replacements = mlist.GetStandardReplacements(userlang)
83			--- mailman-2.1.5.1/Mailman/Cgi/edithtml.py.CVE-2006-3636 2002-05-22 05:00:18.000000000 +0200
84			+++ mailman-2.1.5.1/Mailman/Cgi/edithtml.py 2006-08-23 12:24:06.000000000 +0200
85			@@ -140,7 +140,8 @@
86			doc.AddItem('<p>')
87			doc.AddItem('<hr>')
88			form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name)
89			- text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist))
90			+ text = Utils.maketext(template_name, raw=1, mlist=mlist)
91			+ # MAS: Don't websafe twice. TextArea does it.
92			form.AddItem(TextArea('html_code', text, rows=40, cols=75))
93			form.AddItem('<p>' + _('When you are done making changes...'))
94			form.AddItem(SubmitButton('submit', _('Submit Changes')))
95			--- mailman-2.1.5.1/Mailman/Cgi/admin.py.CVE-2006-3636 2003-12-24 18:27:45.000000000 +0100
96			+++ mailman-2.1.5.1/Mailman/Cgi/admin.py 2006-08-23 12:25:48.000000000 +0200
97			@@ -1319,6 +1319,7 @@
98			# we display. Try uploading a file with 10k names -- it takes a while
99			# to render the status page.
100			for entry in entries:
101			+ safeentry = Utils.websafe(entry)
102			fullname, address = parseaddr(entry)
103			# Canonicalize the full name
104			fullname = Utils.canonstr(fullname, mlist.preferred_language)
105			@@ -1336,17 +1337,17 @@
106			send_admin_notif, invitation,
107			whence='admin mass sub')
108			except Errors.MMAlreadyAMember:
109			- subscribe_errors.append((entry, _('Already a member')))
110			+ subscribe_errors.append((safeentry, _('Already a member')))
111			except Errors.MMBadEmailError:
112			if userdesc.address == '':
113			subscribe_errors.append((_('<blank line>'),
114			_('Bad/Invalid email address')))
115			else:
116			- subscribe_errors.append((entry,
117			+ subscribe_errors.append((safeentry,
118			_('Bad/Invalid email address')))
119			except Errors.MMHostileAddress:
120			subscribe_errors.append(
121			- (entry, _('Hostile address (illegal characters)')))
122			+ (safeentry, _('Hostile address (illegal characters)')))
123			else:
124			member = Utils.uncanonstr(formataddr((fullname, address)))
125			subscribe_success.append(Utils.websafe(member))
126			@@ -1386,9 +1387,9 @@
127			addr, whence='admin mass unsub',
128			admin_notif=send_unsub_notifications,
129			userack=userack)
130			- unsubscribe_success.append(addr)
131			+ unsubscribe_success.append(Utils.websafe(addr))
132			except Errors.NotAMemberError:
133			- unsubscribe_errors.append(addr)
134			+ unsubscribe_errors.append(Utils.websafe(addr))
135			if unsubscribe_success:
136			doc.AddItem(Header(5, _('Successfully Unsubscribed:')))
137			doc.AddItem(UnorderedList(*unsubscribe_success))
138			--- mailman-2.1.5.1/Mailman/Utils.py.CVE-2006-3636 2003-12-26 23:50:04.000000000 +0100
139			+++ mailman-2.1.5.1/Mailman/Utils.py 2006-08-23 12:24:06.000000000 +0200
140			@@ -201,7 +201,7 @@
141			_badchars = re.compile(r'[][()<>\|;^,/\200-\377]')
142
143			def ValidateEmail(s):
144			- """Verify that the an email address isn't grossly evil."""
145			+ """Verify that an email address isn't grossly evil."""
146			# Pretty minimal, cheesy check. We could do better...
147			if not s or s.count(' ') > 0:
148			raise Errors.MMBadEmailError
149			--- mailman-2.1.5.1/Mailman/htmlformat.py.CVE-2006-3636 2003-09-22 04:58:13.000000000 +0200
150			+++ mailman-2.1.5.1/Mailman/htmlformat.py 2006-08-23 12:24:06.000000000 +0200
151			@@ -448,7 +448,11 @@
152
153			class TextBox(InputObj):
154			def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH):
155			- InputObj.__init__(self, name, "TEXT", value, checked=0, size=size)
156			+ if isinstance(value, str):
157			+ safevalue = Utils.websafe(value)
158			+ else:
159			+ safevalue = value
160			+ InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size)
161
162			class Hidden(InputObj):
163			def __init__(self, name, value=''):
164			@@ -457,8 +461,12 @@
165			class TextArea:
166			def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
167			readonly=0):
168			+ if isinstance(text, str):
169			+ safetext = Utils.websafe(text)
170			+ else:
171			+ safetext = text
172			self.name = name
173			- self.text = text
174			+ self.text = safetext
175			self.rows = rows
176			self.cols = cols
177			self.wrap = wrap
178			--- mailman-2.1.5.1/Mailman/Gui/General.py.CVE-2006-3636 2004-02-17 20:27:46.000000000 +0100
179			+++ mailman-2.1.5.1/Mailman/Gui/General.py 2006-08-23 12:24:06.000000000 +0200
180			@@ -433,13 +433,13 @@
181			GUIBase._setValue(self, mlist, property, val, doc)
182
183			def _escape(self, property, value):
184			- # The 'info' property allows HTML, but lets sanitize it to avoid XSS
185			+ # The 'info' property allows HTML, but let's sanitize it to avoid XSS
186			# exploits. Everything else should be fully escaped.
187			if property <> 'info':
188			return GUIBase._escape(self, property, value)
189			# Sanitize <script> and </script> tags but nothing else. Not the best
190			# solution, but expedient.
191			- return re.sub(r'<([/]?script.*?)>', r'<\1>', value)
192			+ return re.sub(r'(?i)<([/]?script.*?)>', r'<\1>', value)
193
194			def _postValidate(self, mlist, doc):
195			if not mlist.reply_to_address.strip() and \
196			--- mailman-2.1.5.1/Mailman/HTMLFormatter.py.CVE-2006-3636 2003-09-29 17:01:22.000000000 +0200
197			+++ mailman-2.1.5.1/Mailman/HTMLFormatter.py 2006-08-23 12:24:06.000000000 +0200
198			@@ -332,8 +332,12 @@
199			return '</FORM>'
200
201			def FormatBox(self, name, size=20, value=''):
202			+ if isinstance(value, str):
203			+ safevalue = Utils.websafe(value)
204			+ else:
205			+ safevalue = value
206			return '<INPUT type="Text" name="%s" size="%d" value="%s">' % (
207			- name, size, value)
208			+ name, size, safevalue)
209
210			def FormatSecureBox(self, name):
211			return '<INPUT type="Password" name="%s" size="15">' % name