| 1 |
=== modified file 'Mailman/Cgi/edithtml.py' |
| 2 |
--- Mailman/Cgi/edithtml.py 2006-08-30 14:54:22 +0000 |
| 3 |
+++ Mailman/Cgi/edithtml.py 2007-12-04 19:52:18 +0000 |
| 4 |
@@ -1,4 +1,4 @@ |
| 5 |
-# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. |
| 6 |
+# Copyright (C) 1998-2007 by the Free Software Foundation, Inc. |
| 7 |
# |
| 8 |
# This program is free software; you can redistribute it and/or |
| 9 |
# modify it under the terms of the GNU General Public License |
| 10 |
@@ -159,7 +159,20 @@ |
| 11 |
doc.AddItem('<hr>') |
| 12 |
return |
| 13 |
code = cgi_info['html_code'].value |
| 14 |
- code = re.sub(r'<([/]?script.*?)>', r'<\1>', code) |
| 15 |
+ if Utils.suspiciousHTML(code): |
| 16 |
+ doc.AddItem(Header(3, |
| 17 |
+ _("""The page you saved contains suspicious HTML that could |
| 18 |
+potentially expose your users to cross-site scripting attacks. This change |
| 19 |
+has therefore been rejected. If you still want to make these changes, you |
| 20 |
+must have shell access to your Mailman server. |
| 21 |
+ """))) |
| 22 |
+ doc.AddItem(_('See ')) |
| 23 |
+ doc.AddItem(Link( |
| 24 |
+'http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.048.htp', |
| 25 |
+ _('FAQ 4.48.'))) |
| 26 |
+ doc.AddItem(Header(3,_("Page Unchanged."))) |
| 27 |
+ doc.AddItem('<hr>') |
| 28 |
+ return |
| 29 |
langdir = os.path.join(mlist.fullpath(), mlist.preferred_language) |
| 30 |
# Make sure the directory exists |
| 31 |
omask = os.umask(0) |
| 32 |
|
| 33 |
=== modified file 'Mailman/Gui/General.py' |
| 34 |
--- Mailman/Gui/General.py 2006-08-30 14:54:22 +0000 |
| 35 |
+++ Mailman/Gui/General.py 2007-12-04 19:52:18 +0000 |
| 36 |
@@ -1,4 +1,4 @@ |
| 37 |
-# Copyright (C) 2001-2006 by the Free Software Foundation, Inc. |
| 38 |
+# Copyright (C) 2001-2007 by the Free Software Foundation, Inc. |
| 39 |
# |
| 40 |
# This program is free software; you can redistribute it and/or |
| 41 |
# modify it under the terms of the GNU General Public License |
| 42 |
@@ -436,17 +442,21 @@ |
| 43 |
# Convert any html entities to Unicode |
| 44 |
mlist.subject_prefix = Utils.canonstr( |
| 45 |
val, mlist.preferred_language) |
| 46 |
+ elif property == 'info': |
| 47 |
+ if val <> mlist.info: |
| 48 |
+ if Utils.suspiciousHTML(val): |
| 49 |
+ doc.addError(_("""The <b>info</b> attribute you saved |
| 50 |
+contains suspicious HTML that could potentially expose your users to cross-site |
| 51 |
+scripting attacks. This change has therefore been rejected. If you still want |
| 52 |
+to make these changes, you must have shell access to your Mailman server. |
| 53 |
+This change can be made with bin/withlist or with bin/config_list by setting |
| 54 |
+mlist.info. |
| 55 |
+ """)) |
| 56 |
+ else: |
| 57 |
+ mlist.info = val |
| 58 |
else: |
| 59 |
GUIBase._setValue(self, mlist, property, val, doc) |
| 60 |
|
| 61 |
- def _escape(self, property, value): |
| 62 |
- # The 'info' property allows HTML, but let's sanitize it to avoid XSS |
| 63 |
- # exploits. Everything else should be fully escaped. |
| 64 |
- if property <> 'info': |
| 65 |
- return GUIBase._escape(self, property, value) |
| 66 |
- # Sanitize <script> and </script> tags but nothing else. Not the best |
| 67 |
- # solution, but expedient. |
| 68 |
- return re.sub(r'(?i)<([/]?script.*?)>', r'<\1>', value) |
| 69 |
|
| 70 |
def _postValidate(self, mlist, doc): |
| 71 |
if not mlist.reply_to_address.strip() and \ |
| 72 |
|
| 73 |
=== modified file 'Mailman/Gui/GUIBase.py' |
| 74 |
--- Mailman/Gui/GUIBase.py 2005-08-27 01:40:17 +0000 |
| 75 |
+++ Mailman/Gui/GUIBase.py 2007-11-18 20:01:26 +0000 |
| 76 |
@@ -1,4 +1,4 @@ |
| 77 |
-# Copyright (C) 2002-2004 by the Free Software Foundation, Inc. |
| 78 |
+# Copyright (C) 2002-2007 by the Free Software Foundation, Inc. |
| 79 |
# |
| 80 |
# This program is free software; you can redistribute it and/or |
| 81 |
# modify it under the terms of the GNU General Public License |
| 82 |
@@ -12,7 +12,8 @@ |
| 83 |
# |
| 84 |
# You should have received a copy of the GNU General Public License |
| 85 |
# along with this program; if not, write to the Free Software |
| 86 |
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
| 87 |
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, |
| 88 |
+# USA. |
| 89 |
|
| 90 |
"""Base class for all web GUI components.""" |
| 91 |
|
| 92 |
@@ -122,10 +127,6 @@ |
| 93 |
# Validate all the attributes for this category |
| 94 |
pass |
| 95 |
|
| 96 |
- def _escape(self, property, value): |
| 97 |
- value = value.replace('<', '<') |
| 98 |
- return value |
| 99 |
- |
| 100 |
def handleForm(self, mlist, category, subcat, cgidata, doc): |
| 101 |
for item in self.GetConfigInfo(mlist, category, subcat): |
| 102 |
# Skip descriptions and legacy non-attributes |
| 103 |
@@ -144,10 +145,9 @@ |
| 104 |
elif not cgidata.has_key(property): |
| 105 |
continue |
| 106 |
elif isinstance(cgidata[property], ListType): |
| 107 |
- val = [self._escape(property, x.value) |
| 108 |
- for x in cgidata[property]] |
| 109 |
+ val = [x.value for x in cgidata[property]] |
| 110 |
else: |
| 111 |
- val = self._escape(property, cgidata[property].value) |
| 112 |
+ val = cgidata[property].value |
| 113 |
# Coerce the value to the expected type, raising exceptions if the |
| 114 |
# value is invalid. |
| 115 |
try: |
| 116 |
|
| 117 |
=== modified file 'Mailman/Utils.py' |
| 118 |
--- Mailman/Utils.py 2007-11-25 08:04:30 +0000 |
| 119 |
+++ Mailman/Utils.py 2007-12-04 19:52:18 +0000 |
| 120 |
@@ -876,3 +876,154 @@ |
| 121 |
except (LookupError, UnicodeError, ValueError, HeaderParseError): |
| 122 |
# possibly charset problem. return with undecoded string in one line. |
| 123 |
return EMPTYSTRING.join(s.splitlines()) |
| 124 |
+ |
| 125 |
+ |
| 126 |
+# Patterns and functions to flag possible XSS attacks in HTML. |
| 127 |
+# This list is compiled from information at http://ha.ckers.org/xss.html, |
| 128 |
+# http://www.quirksmode.org/js/events_compinfo.html, |
| 129 |
+# http://www.htmlref.com/reference/appa/events1.htm, |
| 130 |
+# http://lxr.mozilla.org/mozilla/source/content/events/src/nsDOMEvent.cpp#59, |
| 131 |
+# http://www.w3.org/TR/DOM-Level-2-Events/events.html and |
| 132 |
+# http://www.xulplanet.com/references/elemref/ref_EventHandlers.html |
| 133 |
+# Many thanks are due to Moritz Naumann for his assistance with this. |
| 134 |
+_badwords = [ |
| 135 |
+ '<i?frame', |
| 136 |
+ '<link', |
| 137 |
+ '<meta', |
| 138 |
+ '<script', |
| 139 |
+ r'(?:^|\W)j(?:ava)?script(?:\W|$)', |
| 140 |
+ r'(?:^|\W)vbs(?:cript)?(?:\W|$)', |
| 141 |
+ r'(?:^|\W)domactivate(?:\W|$)', |
| 142 |
+ r'(?:^|\W)domattrmodified(?:\W|$)', |
| 143 |
+ r'(?:^|\W)domcharacterdatamodified(?:\W|$)', |
| 144 |
+ r'(?:^|\W)domfocus(?:in|out)(?:\W|$)', |
| 145 |
+ r'(?:^|\W)dommenuitem(?:in)?active(?:\W|$)', |
| 146 |
+ r'(?:^|\W)dommousescroll(?:\W|$)', |
| 147 |
+ r'(?:^|\W)domnodeinserted(?:intodocument)?(?:\W|$)', |
| 148 |
+ r'(?:^|\W)domnoderemoved(?:fromdocument)?(?:\W|$)', |
| 149 |
+ r'(?:^|\W)domsubtreemodified(?:\W|$)', |
| 150 |
+ r'(?:^|\W)fscommand(?:\W|$)', |
| 151 |
+ r'(?:^|\W)onabort(?:\W|$)', |
| 152 |
+ r'(?:^|\W)on(?:de)?activate(?:\W|$)', |
| 153 |
+ r'(?:^|\W)on(?:after|before)print(?:\W|$)', |
| 154 |
+ r'(?:^|\W)on(?:after|before)update(?:\W|$)', |
| 155 |
+ r'(?:^|\W)onbefore(?:(?:de)?activate|copy|cut|editfocus|paste)(?:\W|$)', |
| 156 |
+ r'(?:^|\W)onbeforeunload(?:\W|$)', |
| 157 |
+ r'(?:^|\W)onbegin(?:\W|$)', |
| 158 |
+ r'(?:^|\W)onblur(?:\W|$)', |
| 159 |
+ r'(?:^|\W)onbounce(?:\W|$)', |
| 160 |
+ r'(?:^|\W)onbroadcast(?:\W|$)', |
| 161 |
+ r'(?:^|\W)on(?:cell)?change(?:\W|$)', |
| 162 |
+ r'(?:^|\W)oncheckboxstatechange(?:\W|$)', |
| 163 |
+ r'(?:^|\W)on(?:dbl)?click(?:\W|$)', |
| 164 |
+ r'(?:^|\W)onclose(?:\W|$)', |
| 165 |
+ r'(?:^|\W)oncommand(?:update)?(?:\W|$)', |
| 166 |
+ r'(?:^|\W)oncomposition(?:end|start)(?:\W|$)', |
| 167 |
+ r'(?:^|\W)oncontextmenu(?:\W|$)', |
| 168 |
+ r'(?:^|\W)oncontrolselect(?:\W|$)', |
| 169 |
+ r'(?:^|\W)oncopy(?:\W|$)', |
| 170 |
+ r'(?:^|\W)oncut(?:\W|$)', |
| 171 |
+ r'(?:^|\W)ondataavailable(?:\W|$)', |
| 172 |
+ r'(?:^|\W)ondataset(?:changed|complete)(?:\W|$)', |
| 173 |
+ r'(?:^|\W)ondrag(?:drop|end|enter|exit|gesture|leave|over)?(?:\W|$)', |
| 174 |
+ r'(?:^|\W)ondragstart(?:\W|$)', |
| 175 |
+ r'(?:^|\W)ondrop(?:\W|$)', |
| 176 |
+ r'(?:^|\W)onend(?:\W|$)', |
| 177 |
+ r'(?:^|\W)onerror(?:update)?(?:\W|$)', |
| 178 |
+ r'(?:^|\W)onfilterchange(?:\W|$)', |
| 179 |
+ r'(?:^|\W)onfinish(?:\W|$)', |
| 180 |
+ r'(?:^|\W)onfocus(?:in|out)?(?:\W|$)', |
| 181 |
+ r'(?:^|\W)onhelp(?:\W|$)', |
| 182 |
+ r'(?:^|\W)oninput(?:\W|$)', |
| 183 |
+ r'(?:^|\W)onkey(?:up|down|press)(?:\W|$)', |
| 184 |
+ r'(?:^|\W)onlayoutcomplete(?:\W|$)', |
| 185 |
+ r'(?:^|\W)on(?:un)?load(?:\W|$)', |
| 186 |
+ r'(?:^|\W)onlosecapture(?:\W|$)', |
| 187 |
+ r'(?:^|\W)onmedia(?:complete|error)(?:\W|$)', |
| 188 |
+ r'(?:^|\W)onmouse(?:down|enter|leave|move|out|over|up|wheel)(?:\W|$)', |
| 189 |
+ r'(?:^|\W)onmove(?:end|start)?(?:\W|$)', |
| 190 |
+ r'(?:^|\W)on(?:off|on)line(?:\W|$)', |
| 191 |
+ r'(?:^|\W)onoutofsync(?:\W|$)', |
| 192 |
+ r'(?:^|\W)onoverflow(?:changed)?(?:\W|$)', |
| 193 |
+ r'(?:^|\W)onpage(?:hide|show)(?:\W|$)', |
| 194 |
+ r'(?:^|\W)onpaint(?:\W|$)', |
| 195 |
+ r'(?:^|\W)onpaste(?:\W|$)', |
| 196 |
+ r'(?:^|\W)onpause(?:\W|$)', |
| 197 |
+ r'(?:^|\W)onpopup(?:hidden|hiding|showing|shown)(?:\W|$)', |
| 198 |
+ r'(?:^|\W)onprogress(?:\W|$)', |
| 199 |
+ r'(?:^|\W)onpropertychange(?:\W|$)', |
| 200 |
+ r'(?:^|\W)onradiostatechange(?:\W|$)', |
| 201 |
+ r'(?:^|\W)onreadystatechange(?:\W|$)', |
| 202 |
+ r'(?:^|\W)onrepeat(?:\W|$)', |
| 203 |
+ r'(?:^|\W)onreset(?:\W|$)', |
| 204 |
+ r'(?:^|\W)onresize(?:end|start)?(?:\W|$)', |
| 205 |
+ r'(?:^|\W)onresume(?:\W|$)', |
| 206 |
+ r'(?:^|\W)onreverse(?:\W|$)', |
| 207 |
+ r'(?:^|\W)onrow(?:delete|enter|exit|inserted)(?:\W|$)', |
| 208 |
+ r'(?:^|\W)onrows(?:delete|enter|inserted)(?:\W|$)', |
| 209 |
+ r'(?:^|\W)onscroll(?:\W|$)', |
| 210 |
+ r'(?:^|\W)onseek(?:\W|$)', |
| 211 |
+ r'(?:^|\W)onselect(?:start)?(?:\W|$)', |
| 212 |
+ r'(?:^|\W)onselectionchange(?:\W|$)', |
| 213 |
+ r'(?:^|\W)onstart(?:\W|$)', |
| 214 |
+ r'(?:^|\W)onstop(?:\W|$)', |
| 215 |
+ r'(?:^|\W)onsubmit(?:\W|$)', |
| 216 |
+ r'(?:^|\W)onsync(?:from|to)preference(?:\W|$)', |
| 217 |
+ r'(?:^|\W)onsyncrestored(?:\W|$)', |
| 218 |
+ r'(?:^|\W)ontext(?:\W|$)', |
| 219 |
+ r'(?:^|\W)ontimeerror(?:\W|$)', |
| 220 |
+ r'(?:^|\W)ontrackchange(?:\W|$)', |
| 221 |
+ r'(?:^|\W)onunderflow(?:\W|$)', |
| 222 |
+ r'(?:^|\W)onurlflip(?:\W|$)', |
| 223 |
+ r'(?:^|\W)seeksegmenttime(?:\W|$)', |
| 224 |
+ r'(?:^|\W)svgabort(?:\W|$)', |
| 225 |
+ r'(?:^|\W)svgerror(?:\W|$)', |
| 226 |
+ r'(?:^|\W)svgload(?:\W|$)', |
| 227 |
+ r'(?:^|\W)svgresize(?:\W|$)', |
| 228 |
+ r'(?:^|\W)svgscroll(?:\W|$)', |
| 229 |
+ r'(?:^|\W)svgunload(?:\W|$)', |
| 230 |
+ r'(?:^|\W)svgzoom(?:\W|$)', |
| 231 |
+ ] |
| 232 |
+ |
| 233 |
+ |
| 234 |
+# This is the actual re to look for the above patterns |
| 235 |
+_badhtml = re.compile('|'.join(_badwords), re.IGNORECASE) |
| 236 |
+# This is used to filter non-printable us-ascii characters, some of which |
| 237 |
+# can be used to break words to avoid recognition. |
| 238 |
+_filterchars = re.compile('[\000-\011\013\014\016-\037\177-\237]') |
| 239 |
+# This is used to recognize '&#' and '%xx' strings for _translate which |
| 240 |
+# translates them to characters |
| 241 |
+_encodedchars = re.compile('(&#[0-9]+;?)|(&#x[0-9a-f]+;?)|(%[0-9a-f]{2})', |
| 242 |
+ re.IGNORECASE) |
| 243 |
+ |
| 244 |
+ |
| 245 |
+def _translate(mo): |
| 246 |
+ """Translate &#... and %xx encodings into the encoded character.""" |
| 247 |
+ match = mo.group().lower().strip('&#;') |
| 248 |
+ try: |
| 249 |
+ if match.startswith('x') or match.startswith('%'): |
| 250 |
+ val = int(match[1:], 16) |
| 251 |
+ else: |
| 252 |
+ val = int(match, 10) |
| 253 |
+ except ValueError: |
| 254 |
+ return '' |
| 255 |
+ if val < 256: |
| 256 |
+ return chr(val) |
| 257 |
+ else: |
| 258 |
+ return '' |
| 259 |
+ |
| 260 |
+ |
| 261 |
+def suspiciousHTML(html): |
| 262 |
+ """Check HTML string for various tags, script language names and |
| 263 |
+ 'onxxx' actions that can be used in XSS attacks. |
| 264 |
+ Currently, this a very simple minded test. It just looks for |
| 265 |
+ patterns without analyzing context. Thus, it potentially flags lots |
| 266 |
+ of benign stuff. |
| 267 |
+ Returns True if anything suspicious found, False otherwise. |
| 268 |
+ """ |
| 269 |
+ |
| 270 |
+ if _badhtml.search(_filterchars.sub( |
| 271 |
+ '', _encodedchars.sub(_translate, html))): |
| 272 |
+ return True |
| 273 |
+ else: |
| 274 |
+ return False |
| 275 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
