/[smecontribs]/rpms/mailman/contribs8/mailman-2.1.9-CVE-2008-0564.patch
ViewVC logotype

Annotation of /rpms/mailman/contribs8/mailman-2.1.9-CVE-2008-0564.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Fri Jul 12 21:04:21 2013 UTC (11 years, 4 months ago) by unnilennium
Branch: MAIN
CVS Tags: mailman-2_1_9-6_el5_6_1, mailman-2_1_9-20_el5_sme, mailman-2_1_9-6_el5_sme_20, HEAD
import new srpm

1 unnilennium 1.1 === modified file 'Mailman/Cgi/edithtml.py'
2     --- Mailman/Cgi/edithtml.py 2006-08-30 14:54:22 +0000
3     +++ Mailman/Cgi/edithtml.py 2007-12-04 19:52:18 +0000
4     @@ -1,4 +1,4 @@
5     -# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
6     +# Copyright (C) 1998-2007 by the Free Software Foundation, Inc.
7     #
8     # This program is free software; you can redistribute it and/or
9     # modify it under the terms of the GNU General Public License
10     @@ -159,7 +159,20 @@
11     doc.AddItem('<hr>')
12     return
13     code = cgi_info['html_code'].value
14     - code = re.sub(r'<([/]?script.*?)>', r'&lt;\1&gt;', code)
15     + if Utils.suspiciousHTML(code):
16     + doc.AddItem(Header(3,
17     + _("""The page you saved contains suspicious HTML that could
18     +potentially expose your users to cross-site scripting attacks. This change
19     +has therefore been rejected. If you still want to make these changes, you
20     +must have shell access to your Mailman server.
21     + """)))
22     + doc.AddItem(_('See '))
23     + doc.AddItem(Link(
24     +'http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.048.htp',
25     + _('FAQ 4.48.')))
26     + doc.AddItem(Header(3,_("Page Unchanged.")))
27     + doc.AddItem('<hr>')
28     + return
29     langdir = os.path.join(mlist.fullpath(), mlist.preferred_language)
30     # Make sure the directory exists
31     omask = os.umask(0)
32    
33     === modified file 'Mailman/Gui/General.py'
34     --- Mailman/Gui/General.py 2006-08-30 14:54:22 +0000
35     +++ Mailman/Gui/General.py 2007-12-04 19:52:18 +0000
36     @@ -1,4 +1,4 @@
37     -# Copyright (C) 2001-2006 by the Free Software Foundation, Inc.
38     +# Copyright (C) 2001-2007 by the Free Software Foundation, Inc.
39     #
40     # This program is free software; you can redistribute it and/or
41     # modify it under the terms of the GNU General Public License
42     @@ -436,17 +442,21 @@
43     # Convert any html entities to Unicode
44     mlist.subject_prefix = Utils.canonstr(
45     val, mlist.preferred_language)
46     + elif property == 'info':
47     + if val <> mlist.info:
48     + if Utils.suspiciousHTML(val):
49     + doc.addError(_("""The <b>info</b> attribute you saved
50     +contains suspicious HTML that could potentially expose your users to cross-site
51     +scripting attacks. This change has therefore been rejected. If you still want
52     +to make these changes, you must have shell access to your Mailman server.
53     +This change can be made with bin/withlist or with bin/config_list by setting
54     +mlist.info.
55     + """))
56     + else:
57     + mlist.info = val
58     else:
59     GUIBase._setValue(self, mlist, property, val, doc)
60    
61     - def _escape(self, property, value):
62     - # The 'info' property allows HTML, but let's sanitize it to avoid XSS
63     - # exploits. Everything else should be fully escaped.
64     - if property <> 'info':
65     - return GUIBase._escape(self, property, value)
66     - # Sanitize <script> and </script> tags but nothing else. Not the best
67     - # solution, but expedient.
68     - return re.sub(r'(?i)<([/]?script.*?)>', r'&lt;\1&gt;', value)
69    
70     def _postValidate(self, mlist, doc):
71     if not mlist.reply_to_address.strip() and \
72    
73     === modified file 'Mailman/Gui/GUIBase.py'
74     --- Mailman/Gui/GUIBase.py 2005-08-27 01:40:17 +0000
75     +++ Mailman/Gui/GUIBase.py 2007-11-18 20:01:26 +0000
76     @@ -1,4 +1,4 @@
77     -# Copyright (C) 2002-2004 by the Free Software Foundation, Inc.
78     +# Copyright (C) 2002-2007 by the Free Software Foundation, Inc.
79     #
80     # This program is free software; you can redistribute it and/or
81     # modify it under the terms of the GNU General Public License
82     @@ -12,7 +12,8 @@
83     #
84     # You should have received a copy of the GNU General Public License
85     # along with this program; if not, write to the Free Software
86     -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
87     +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
88     +# USA.
89    
90     """Base class for all web GUI components."""
91    
92     @@ -122,10 +127,6 @@
93     # Validate all the attributes for this category
94     pass
95    
96     - def _escape(self, property, value):
97     - value = value.replace('<', '&lt;')
98     - return value
99     -
100     def handleForm(self, mlist, category, subcat, cgidata, doc):
101     for item in self.GetConfigInfo(mlist, category, subcat):
102     # Skip descriptions and legacy non-attributes
103     @@ -144,10 +145,9 @@
104     elif not cgidata.has_key(property):
105     continue
106     elif isinstance(cgidata[property], ListType):
107     - val = [self._escape(property, x.value)
108     - for x in cgidata[property]]
109     + val = [x.value for x in cgidata[property]]
110     else:
111     - val = self._escape(property, cgidata[property].value)
112     + val = cgidata[property].value
113     # Coerce the value to the expected type, raising exceptions if the
114     # value is invalid.
115     try:
116    
117     === modified file 'Mailman/Utils.py'
118     --- Mailman/Utils.py 2007-11-25 08:04:30 +0000
119     +++ Mailman/Utils.py 2007-12-04 19:52:18 +0000
120     @@ -876,3 +876,154 @@
121     except (LookupError, UnicodeError, ValueError, HeaderParseError):
122     # possibly charset problem. return with undecoded string in one line.
123     return EMPTYSTRING.join(s.splitlines())
124     +
125     +
126     +# Patterns and functions to flag possible XSS attacks in HTML.
127     +# This list is compiled from information at http://ha.ckers.org/xss.html,
128     +# http://www.quirksmode.org/js/events_compinfo.html,
129     +# http://www.htmlref.com/reference/appa/events1.htm,
130     +# http://lxr.mozilla.org/mozilla/source/content/events/src/nsDOMEvent.cpp#59,
131     +# http://www.w3.org/TR/DOM-Level-2-Events/events.html and
132     +# http://www.xulplanet.com/references/elemref/ref_EventHandlers.html
133     +# Many thanks are due to Moritz Naumann for his assistance with this.
134     +_badwords = [
135     + '<i?frame',
136     + '<link',
137     + '<meta',
138     + '<script',
139     + r'(?:^|\W)j(?:ava)?script(?:\W|$)',
140     + r'(?:^|\W)vbs(?:cript)?(?:\W|$)',
141     + r'(?:^|\W)domactivate(?:\W|$)',
142     + r'(?:^|\W)domattrmodified(?:\W|$)',
143     + r'(?:^|\W)domcharacterdatamodified(?:\W|$)',
144     + r'(?:^|\W)domfocus(?:in|out)(?:\W|$)',
145     + r'(?:^|\W)dommenuitem(?:in)?active(?:\W|$)',
146     + r'(?:^|\W)dommousescroll(?:\W|$)',
147     + r'(?:^|\W)domnodeinserted(?:intodocument)?(?:\W|$)',
148     + r'(?:^|\W)domnoderemoved(?:fromdocument)?(?:\W|$)',
149     + r'(?:^|\W)domsubtreemodified(?:\W|$)',
150     + r'(?:^|\W)fscommand(?:\W|$)',
151     + r'(?:^|\W)onabort(?:\W|$)',
152     + r'(?:^|\W)on(?:de)?activate(?:\W|$)',
153     + r'(?:^|\W)on(?:after|before)print(?:\W|$)',
154     + r'(?:^|\W)on(?:after|before)update(?:\W|$)',
155     + r'(?:^|\W)onbefore(?:(?:de)?activate|copy|cut|editfocus|paste)(?:\W|$)',
156     + r'(?:^|\W)onbeforeunload(?:\W|$)',
157     + r'(?:^|\W)onbegin(?:\W|$)',
158     + r'(?:^|\W)onblur(?:\W|$)',
159     + r'(?:^|\W)onbounce(?:\W|$)',
160     + r'(?:^|\W)onbroadcast(?:\W|$)',
161     + r'(?:^|\W)on(?:cell)?change(?:\W|$)',
162     + r'(?:^|\W)oncheckboxstatechange(?:\W|$)',
163     + r'(?:^|\W)on(?:dbl)?click(?:\W|$)',
164     + r'(?:^|\W)onclose(?:\W|$)',
165     + r'(?:^|\W)oncommand(?:update)?(?:\W|$)',
166     + r'(?:^|\W)oncomposition(?:end|start)(?:\W|$)',
167     + r'(?:^|\W)oncontextmenu(?:\W|$)',
168     + r'(?:^|\W)oncontrolselect(?:\W|$)',
169     + r'(?:^|\W)oncopy(?:\W|$)',
170     + r'(?:^|\W)oncut(?:\W|$)',
171     + r'(?:^|\W)ondataavailable(?:\W|$)',
172     + r'(?:^|\W)ondataset(?:changed|complete)(?:\W|$)',
173     + r'(?:^|\W)ondrag(?:drop|end|enter|exit|gesture|leave|over)?(?:\W|$)',
174     + r'(?:^|\W)ondragstart(?:\W|$)',
175     + r'(?:^|\W)ondrop(?:\W|$)',
176     + r'(?:^|\W)onend(?:\W|$)',
177     + r'(?:^|\W)onerror(?:update)?(?:\W|$)',
178     + r'(?:^|\W)onfilterchange(?:\W|$)',
179     + r'(?:^|\W)onfinish(?:\W|$)',
180     + r'(?:^|\W)onfocus(?:in|out)?(?:\W|$)',
181     + r'(?:^|\W)onhelp(?:\W|$)',
182     + r'(?:^|\W)oninput(?:\W|$)',
183     + r'(?:^|\W)onkey(?:up|down|press)(?:\W|$)',
184     + r'(?:^|\W)onlayoutcomplete(?:\W|$)',
185     + r'(?:^|\W)on(?:un)?load(?:\W|$)',
186     + r'(?:^|\W)onlosecapture(?:\W|$)',
187     + r'(?:^|\W)onmedia(?:complete|error)(?:\W|$)',
188     + r'(?:^|\W)onmouse(?:down|enter|leave|move|out|over|up|wheel)(?:\W|$)',
189     + r'(?:^|\W)onmove(?:end|start)?(?:\W|$)',
190     + r'(?:^|\W)on(?:off|on)line(?:\W|$)',
191     + r'(?:^|\W)onoutofsync(?:\W|$)',
192     + r'(?:^|\W)onoverflow(?:changed)?(?:\W|$)',
193     + r'(?:^|\W)onpage(?:hide|show)(?:\W|$)',
194     + r'(?:^|\W)onpaint(?:\W|$)',
195     + r'(?:^|\W)onpaste(?:\W|$)',
196     + r'(?:^|\W)onpause(?:\W|$)',
197     + r'(?:^|\W)onpopup(?:hidden|hiding|showing|shown)(?:\W|$)',
198     + r'(?:^|\W)onprogress(?:\W|$)',
199     + r'(?:^|\W)onpropertychange(?:\W|$)',
200     + r'(?:^|\W)onradiostatechange(?:\W|$)',
201     + r'(?:^|\W)onreadystatechange(?:\W|$)',
202     + r'(?:^|\W)onrepeat(?:\W|$)',
203     + r'(?:^|\W)onreset(?:\W|$)',
204     + r'(?:^|\W)onresize(?:end|start)?(?:\W|$)',
205     + r'(?:^|\W)onresume(?:\W|$)',
206     + r'(?:^|\W)onreverse(?:\W|$)',
207     + r'(?:^|\W)onrow(?:delete|enter|exit|inserted)(?:\W|$)',
208     + r'(?:^|\W)onrows(?:delete|enter|inserted)(?:\W|$)',
209     + r'(?:^|\W)onscroll(?:\W|$)',
210     + r'(?:^|\W)onseek(?:\W|$)',
211     + r'(?:^|\W)onselect(?:start)?(?:\W|$)',
212     + r'(?:^|\W)onselectionchange(?:\W|$)',
213     + r'(?:^|\W)onstart(?:\W|$)',
214     + r'(?:^|\W)onstop(?:\W|$)',
215     + r'(?:^|\W)onsubmit(?:\W|$)',
216     + r'(?:^|\W)onsync(?:from|to)preference(?:\W|$)',
217     + r'(?:^|\W)onsyncrestored(?:\W|$)',
218     + r'(?:^|\W)ontext(?:\W|$)',
219     + r'(?:^|\W)ontimeerror(?:\W|$)',
220     + r'(?:^|\W)ontrackchange(?:\W|$)',
221     + r'(?:^|\W)onunderflow(?:\W|$)',
222     + r'(?:^|\W)onurlflip(?:\W|$)',
223     + r'(?:^|\W)seeksegmenttime(?:\W|$)',
224     + r'(?:^|\W)svgabort(?:\W|$)',
225     + r'(?:^|\W)svgerror(?:\W|$)',
226     + r'(?:^|\W)svgload(?:\W|$)',
227     + r'(?:^|\W)svgresize(?:\W|$)',
228     + r'(?:^|\W)svgscroll(?:\W|$)',
229     + r'(?:^|\W)svgunload(?:\W|$)',
230     + r'(?:^|\W)svgzoom(?:\W|$)',
231     + ]
232     +
233     +
234     +# This is the actual re to look for the above patterns
235     +_badhtml = re.compile('|'.join(_badwords), re.IGNORECASE)
236     +# This is used to filter non-printable us-ascii characters, some of which
237     +# can be used to break words to avoid recognition.
238     +_filterchars = re.compile('[\000-\011\013\014\016-\037\177-\237]')
239     +# This is used to recognize '&#' and '%xx' strings for _translate which
240     +# translates them to characters
241     +_encodedchars = re.compile('(&#[0-9]+;?)|(&#x[0-9a-f]+;?)|(%[0-9a-f]{2})',
242     + re.IGNORECASE)
243     +
244     +
245     +def _translate(mo):
246     + """Translate &#... and %xx encodings into the encoded character."""
247     + match = mo.group().lower().strip('&#;')
248     + try:
249     + if match.startswith('x') or match.startswith('%'):
250     + val = int(match[1:], 16)
251     + else:
252     + val = int(match, 10)
253     + except ValueError:
254     + return ''
255     + if val < 256:
256     + return chr(val)
257     + else:
258     + return ''
259     +
260     +
261     +def suspiciousHTML(html):
262     + """Check HTML string for various tags, script language names and
263     + 'onxxx' actions that can be used in XSS attacks.
264     + Currently, this a very simple minded test. It just looks for
265     + patterns without analyzing context. Thus, it potentially flags lots
266     + of benign stuff.
267     + Returns True if anything suspicious found, False otherwise.
268     + """
269     +
270     + if _badhtml.search(_filterchars.sub(
271     + '', _encodedchars.sub(_translate, html))):
272     + return True
273     + else:
274     + return False
275    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed