/[smecontribs]/rpms/mailman/contribs8/mailman-2.1-CVE-2006-3636.patch
ViewVC logotype

Contents of /rpms/mailman/contribs8/mailman-2.1-CVE-2006-3636.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (show annotations) (download)
Fri Jul 12 21:04:19 2013 UTC (11 years, 4 months ago) by unnilennium
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
import new srpm

1 --- mailman-2.1.5.1/Mailman/Cgi/admindb.py.CVE-2006-3636 2004-04-30 18:50:42.000000000 +0200
2 +++ mailman-2.1.5.1/Mailman/Cgi/admindb.py 2006-08-23 12:24:06.000000000 +0200
3 @@ -310,7 +310,7 @@
4 ' ' + _('Permanently ban from this list')
5 # While the address may be a unicode, it must be ascii
6 paddr = addr.encode('us-ascii', 'replace')
7 - table.AddRow(['%s<br><em>%s</em>' % (paddr, fullname),
8 + table.AddRow(['%s<br><em>%s</em>' % (paddr, Utils.websafe(fullname)),
9 radio,
10 TextBox('comment-%d' % id, size=40)
11 ])
12 @@ -354,7 +354,7 @@
13 mlist.HandleRequest(id, mm_cfg.DISCARD)
14 continue
15 num += 1
16 - table.AddRow(['%s<br><em>%s</em>' % (addr, fullname),
17 + table.AddRow(['%s<br><em>%s</em>' % (addr, Utils.websafe(fullname)),
18 RadioButtonArray(id, (_('Defer'),
19 _('Approve'),
20 _('Reject'),
21 --- mailman-2.1.5.1/Mailman/Cgi/create.py.CVE-2006-3636 2004-02-29 18:07:51.000000000 +0100
22 +++ mailman-2.1.5.1/Mailman/Cgi/create.py 2006-08-23 12:24:06.000000000 +0200
23 @@ -187,15 +187,24 @@
24 mlist.Create(listname, owner, pw, langs, emailhost)
25 finally:
26 os.umask(oldmask)
27 - except Errors.EmailAddressError, s:
28 + except Errors.EmailAddressError, e:
29 + if e.args:
30 + s = Utils.websafe(e.args[0])
31 + else:
32 + s = Utils.websafe(owner)
33 request_creation(doc, cgidata,
34 _('Bad owner email address: %(s)s'))
35 return
36 except Errors.MMListAlreadyExistsError:
37 + # MAS: List already exists so we don't need to websafe it.
38 request_creation(doc, cgidata,
39 _('List already exists: %(listname)s'))
40 return
41 - except Errors.BadListNameError, s:
42 + except Errors.BadListNameError, e:
43 + if e.args:
44 + s = Utils.websafe(e.args[0])
45 + else:
46 + s = Utils.websafe(listname)
47 request_creation(doc, cgidata,
48 _('Illegal list name: %(s)s'))
49 return
50 @@ -318,15 +327,17 @@
51 ftable.AddRow([Center(Italic(_('List Identity')))])
52 ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2)
53
54 - safelistname = Utils.websafe(cgidata.getvalue('listname', ''))
55 + listname = cgidata.getvalue('listname', '')
56 + # MAS: Don't websafe twice. TextBox does it.
57 ftable.AddRow([Label(_('Name of list:')),
58 - TextBox('listname', safelistname)])
59 + TextBox('listname', listname)])
60 ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
61 ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
62
63 - safeowner = Utils.websafe(cgidata.getvalue('owner', ''))
64 + owner = cgidata.getvalue('owner', '')
65 + # MAS: Don't websafe twice. TextBox does it.
66 ftable.AddRow([Label(_('Initial list owner address:')),
67 - TextBox('owner', safeowner)])
68 + TextBox('owner', owner)])
69 ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
70 ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
71
72 --- mailman-2.1.5.1/Mailman/Cgi/options.py.CVE-2006-3636 2004-02-29 17:45:27.000000000 +0100
73 +++ mailman-2.1.5.1/Mailman/Cgi/options.py 2006-08-23 12:24:06.000000000 +0200
74 @@ -652,7 +652,7 @@
75
76 fullname = Utils.uncanonstr(mlist.getMemberName(user), userlang)
77 if fullname:
78 - presentable_user += ', %s' % fullname
79 + presentable_user += ', %s' % Utils.websafe(fullname)
80
81 # Do replacements
82 replacements = mlist.GetStandardReplacements(userlang)
83 --- mailman-2.1.5.1/Mailman/Cgi/edithtml.py.CVE-2006-3636 2002-05-22 05:00:18.000000000 +0200
84 +++ mailman-2.1.5.1/Mailman/Cgi/edithtml.py 2006-08-23 12:24:06.000000000 +0200
85 @@ -140,7 +140,8 @@
86 doc.AddItem('<p>')
87 doc.AddItem('<hr>')
88 form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name)
89 - text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist))
90 + text = Utils.maketext(template_name, raw=1, mlist=mlist)
91 + # MAS: Don't websafe twice. TextArea does it.
92 form.AddItem(TextArea('html_code', text, rows=40, cols=75))
93 form.AddItem('<p>' + _('When you are done making changes...'))
94 form.AddItem(SubmitButton('submit', _('Submit Changes')))
95 --- mailman-2.1.5.1/Mailman/Cgi/admin.py.CVE-2006-3636 2003-12-24 18:27:45.000000000 +0100
96 +++ mailman-2.1.5.1/Mailman/Cgi/admin.py 2006-08-23 12:25:48.000000000 +0200
97 @@ -1319,6 +1319,7 @@
98 # we display. Try uploading a file with 10k names -- it takes a while
99 # to render the status page.
100 for entry in entries:
101 + safeentry = Utils.websafe(entry)
102 fullname, address = parseaddr(entry)
103 # Canonicalize the full name
104 fullname = Utils.canonstr(fullname, mlist.preferred_language)
105 @@ -1336,17 +1337,17 @@
106 send_admin_notif, invitation,
107 whence='admin mass sub')
108 except Errors.MMAlreadyAMember:
109 - subscribe_errors.append((entry, _('Already a member')))
110 + subscribe_errors.append((safeentry, _('Already a member')))
111 except Errors.MMBadEmailError:
112 if userdesc.address == '':
113 subscribe_errors.append((_('&lt;blank line&gt;'),
114 _('Bad/Invalid email address')))
115 else:
116 - subscribe_errors.append((entry,
117 + subscribe_errors.append((safeentry,
118 _('Bad/Invalid email address')))
119 except Errors.MMHostileAddress:
120 subscribe_errors.append(
121 - (entry, _('Hostile address (illegal characters)')))
122 + (safeentry, _('Hostile address (illegal characters)')))
123 else:
124 member = Utils.uncanonstr(formataddr((fullname, address)))
125 subscribe_success.append(Utils.websafe(member))
126 @@ -1386,9 +1387,9 @@
127 addr, whence='admin mass unsub',
128 admin_notif=send_unsub_notifications,
129 userack=userack)
130 - unsubscribe_success.append(addr)
131 + unsubscribe_success.append(Utils.websafe(addr))
132 except Errors.NotAMemberError:
133 - unsubscribe_errors.append(addr)
134 + unsubscribe_errors.append(Utils.websafe(addr))
135 if unsubscribe_success:
136 doc.AddItem(Header(5, _('Successfully Unsubscribed:')))
137 doc.AddItem(UnorderedList(*unsubscribe_success))
138 --- mailman-2.1.5.1/Mailman/Utils.py.CVE-2006-3636 2003-12-26 23:50:04.000000000 +0100
139 +++ mailman-2.1.5.1/Mailman/Utils.py 2006-08-23 12:24:06.000000000 +0200
140 @@ -201,7 +201,7 @@
141 _badchars = re.compile(r'[][()<>|;^,/\200-\377]')
142
143 def ValidateEmail(s):
144 - """Verify that the an email address isn't grossly evil."""
145 + """Verify that an email address isn't grossly evil."""
146 # Pretty minimal, cheesy check. We could do better...
147 if not s or s.count(' ') > 0:
148 raise Errors.MMBadEmailError
149 --- mailman-2.1.5.1/Mailman/htmlformat.py.CVE-2006-3636 2003-09-22 04:58:13.000000000 +0200
150 +++ mailman-2.1.5.1/Mailman/htmlformat.py 2006-08-23 12:24:06.000000000 +0200
151 @@ -448,7 +448,11 @@
152
153 class TextBox(InputObj):
154 def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH):
155 - InputObj.__init__(self, name, "TEXT", value, checked=0, size=size)
156 + if isinstance(value, str):
157 + safevalue = Utils.websafe(value)
158 + else:
159 + safevalue = value
160 + InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size)
161
162 class Hidden(InputObj):
163 def __init__(self, name, value=''):
164 @@ -457,8 +461,12 @@
165 class TextArea:
166 def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
167 readonly=0):
168 + if isinstance(text, str):
169 + safetext = Utils.websafe(text)
170 + else:
171 + safetext = text
172 self.name = name
173 - self.text = text
174 + self.text = safetext
175 self.rows = rows
176 self.cols = cols
177 self.wrap = wrap
178 --- mailman-2.1.5.1/Mailman/Gui/General.py.CVE-2006-3636 2004-02-17 20:27:46.000000000 +0100
179 +++ mailman-2.1.5.1/Mailman/Gui/General.py 2006-08-23 12:24:06.000000000 +0200
180 @@ -433,13 +433,13 @@
181 GUIBase._setValue(self, mlist, property, val, doc)
182
183 def _escape(self, property, value):
184 - # The 'info' property allows HTML, but lets sanitize it to avoid XSS
185 + # The 'info' property allows HTML, but let's sanitize it to avoid XSS
186 # exploits. Everything else should be fully escaped.
187 if property <> 'info':
188 return GUIBase._escape(self, property, value)
189 # Sanitize <script> and </script> tags but nothing else. Not the best
190 # solution, but expedient.
191 - return re.sub(r'<([/]?script.*?)>', r'&lt;\1&gt;', value)
192 + return re.sub(r'(?i)<([/]?script.*?)>', r'&lt;\1&gt;', value)
193
194 def _postValidate(self, mlist, doc):
195 if not mlist.reply_to_address.strip() and \
196 --- mailman-2.1.5.1/Mailman/HTMLFormatter.py.CVE-2006-3636 2003-09-29 17:01:22.000000000 +0200
197 +++ mailman-2.1.5.1/Mailman/HTMLFormatter.py 2006-08-23 12:24:06.000000000 +0200
198 @@ -332,8 +332,12 @@
199 return '</FORM>'
200
201 def FormatBox(self, name, size=20, value=''):
202 + if isinstance(value, str):
203 + safevalue = Utils.websafe(value)
204 + else:
205 + safevalue = value
206 return '<INPUT type="Text" name="%s" size="%d" value="%s">' % (
207 - name, size, value)
208 + name, size, safevalue)
209
210 def FormatSecureBox(self, name):
211 return '<INPUT type="Password" name="%s" size="15">' % name

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed