diff options
author | Mark Sapiro <mark@msapiro.net> | 2018-03-08 17:33:07 -0800 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2018-03-08 17:33:07 -0800 |
commit | 21eafd3e46083eded01f67ea828bc7b46ffb3f07 (patch) | |
tree | fb8227f504f69e8423595805f21bf1c7b7b53261 | |
parent | e61719889de7b570adb19af5e223c66f1e09e8bc (diff) | |
download | mailman2-21eafd3e46083eded01f67ea828bc7b46ffb3f07.tar.gz mailman2-21eafd3e46083eded01f67ea828bc7b46ffb3f07.tar.xz mailman2-21eafd3e46083eded01f67ea828bc7b46ffb3f07.zip |
Added a few more badword checks to Utils.suspiciousHTML().
Added validation of GUI updates to host_name.
-rw-r--r-- | Mailman/Gui/General.py | 10 | ||||
-rw-r--r-- | Mailman/Utils.py | 31 | ||||
-rw-r--r-- | NEWS | 5 |
3 files changed, 41 insertions, 5 deletions
diff --git a/Mailman/Gui/General.py b/Mailman/Gui/General.py index 980e5f2b..dfde6309 100644 --- a/Mailman/Gui/General.py +++ b/Mailman/Gui/General.py @@ -1,4 +1,4 @@ -# Copyright (C) 2001-2014 by the Free Software Foundation, Inc. +# Copyright (C) 2001-2018 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -559,6 +559,14 @@ mlist.info. or not isinstance(val, IntType)): doc.addError(_("""<b>admin_member_chunksize</b> attribute not changed! It must be an integer > 0.""")) + elif property == 'host_name': + try: + Utils.ValidateEmail('user@' + val) + except Errors.EmailAddressError: + doc.addError(_("""<b>host_name</b> attribute not changed! + It must be a valid domain name.""")) + else: + GUIBase._setValue(self, mlist, property, val, doc) else: GUIBase._setValue(self, mlist, property, val, doc) diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 9dbd0b55..fd6ac796 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2017 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -1019,6 +1019,7 @@ _badwords = [ '<meta', '<object', '<script', + '@keyframes', r'\bj(?:ava)?script\b', r'\bvbs(?:cript)?\b', r'\bdomactivate\b', @@ -1035,12 +1036,14 @@ _badwords = [ r'\bon(?:de)?activate\b', r'\bon(?:after|before)print\b', r'\bon(?:after|before)update\b', + r'\b(?:on)?animation(?:end|iteration|start)\b', r'\bonbefore(?:(?:de)?activate|copy|cut|editfocus|paste)\b', r'\bonbeforeunload\b', r'\bonbegin\b', r'\bonblur\b', r'\bonbounce\b', r'\bonbroadcast\b', + r'\boncanplay(?:through)?\b', r'\bon(?:cell)?change\b', r'\boncheckboxstatechange\b', r'\bon(?:dbl)?click\b', @@ -1056,7 +1059,9 @@ _badwords = [ r'\bondrag(?:drop|end|enter|exit|gesture|leave|over)?\b', r'\bondragstart\b', r'\bondrop\b', - r'\bonend\b', + r'\bondurationchange\b', + r'\bonemptied\b', + r'\bonend(?:ed)?\b', r'\bonerror(?:update)?\b', r'\bonfilterchange\b', r'\bonfinish\b', @@ -1066,21 +1071,28 @@ _badwords = [ r'\bonkey(?:up|down|press)\b', r'\bonlayoutcomplete\b', r'\bon(?:un)?load\b', + r'\bonloaded(?:meta)?data\b', + r'\bonloadstart\b', r'\bonlosecapture\b', r'\bonmedia(?:complete|error)\b', + r'\bonmessage\b', r'\bonmouse(?:down|enter|leave|move|out|over|up|wheel)\b', r'\bonmove(?:end|start)?\b', r'\bon(?:off|on)line\b', + r'\bonopen\b', r'\bonoutofsync\b', r'\bonoverflow(?:changed)?\b', r'\bonpage(?:hide|show)\b', r'\bonpaint\b', r'\bonpaste\b', r'\bonpause\b', + r'\bonplay(?:ing)?\b', + r'\bonpopstate\b', r'\bonpopup(?:hidden|hiding|showing|shown)\b', r'\bonprogress\b', r'\bonpropertychange\b', r'\bonradiostatechange\b', + r'\bonratechange\b', r'\bonreadystatechange\b', r'\bonrepeat\b', r'\bonreset\b', @@ -1090,19 +1102,30 @@ _badwords = [ r'\bonrow(?:delete|enter|exit|inserted)\b', r'\bonrows(?:delete|enter|inserted)\b', r'\bonscroll\b', - r'\bonseek\b', + r'\bonsearch\b', + r'\bonseek(?:ed|ing)?\b', r'\bonselect(?:start)?\b', r'\bonselectionchange\b', + r'\bonshow\b', r'\bonstart\b', + r'\bonstalled\b', r'\bonstop\b', + r'\bonstorage\b', r'\bonsubmit\b', + r'\bonsuspend\b', r'\bonsync(?:from|to)preference\b', r'\bonsyncrestored\b', r'\bontext\b', - r'\bontimeerror\b', + r'\bontime(?:error|update)\b', + r'\bontoggle\b', + r'\bontouch(?:cancel|end|move|start)\b', r'\bontrackchange\b', + r'\b(?:on)?transitionend\b', r'\bonunderflow\b', r'\bonurlflip\b', + r'\bonvolumechange\b', + r'\bonwaiting\b', + r'\bonwheel\b', r'\bseeksegmenttime\b', r'\bsvgabort\b', r'\bsvgerror\b', @@ -7,6 +7,11 @@ Here is a history of user visible changes to Mailman. 2.1.27 (xx-xxx-xxxx) + Security + + - Existing protections against malicious listowners injecting evil + scripts into listinfo pages have had a few more checks added. + Bug fixes and other patches - Bad values in a list's topics will no longer break everything that |