/[smecontribs]/rpms/mailman/contribs9/mailman-2.1.12-CVE-2015-2775.patch
ViewVC logotype

Annotation of /rpms/mailman/contribs9/mailman-2.1.12-CVE-2015-2775.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sun Aug 23 19:54:39 2015 UTC (9 years, 3 months ago) by stephdl
Branch: MAIN
CVS Tags: mailman-2_1_12-103_el6_sme, mailman-2_1_12-100_el6_sme, mailman-2_1_12-104_el6_sme, mailman-2_1_12-25_el6_sme_sme, mailman-2_1_12-102_el6_sme, mailman-2_1_12-101_el6_sme, HEAD
added all files to cvs

1 stephdl 1.1 diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
2     index 8e42f54..e79f454 100755
3     --- a/Mailman/Defaults.py.in
4     +++ b/Mailman/Defaults.py.in
5     @@ -111,7 +111,7 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s'
6    
7     # A Python regular expression character class which defines the characters
8     # allowed in list names. Lists cannot be created with names containing any
9     -# character that doesn't match this class.
10     +# character that doesn't match this class. Do not include '/' in this list.
11     ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
12    
13    
14     diff --git a/Mailman/Utils.py b/Mailman/Utils.py
15     index 8021942..231f72c 100644
16     --- a/Mailman/Utils.py
17     +++ b/Mailman/Utils.py
18     @@ -100,6 +100,12 @@ def list_exists(listname):
19     #
20     # The former two are for 2.1alpha3 and beyond, while the latter two are
21     # for all earlier versions.
22     + #
23     + # But first ensure the list name doesn't contain a path traversal
24     + # attack.
25     + if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
26     + syslog('mischief', 'Hostile listname: %s', listname)
27     + return False
28     basepath = Site.get_listpath(listname)
29     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
30     dbfile = os.path.join(basepath, 'config' + ext)

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed