aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2018-02-04 08:41:19 -0800
committerMark Sapiro <mark@msapiro.net>2018-02-04 08:41:19 -0800
commit2dfcd18a5d2982f2f21ff02539f992ba5041808c (patch)
treefa2bdc690c692e719f9c61e0244e04820c504393
parentbcd476a43f2365a48db8c17d0a7076b6a2e0ce92 (diff)
downloadmailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.tar.gz
mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.tar.xz
mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.zip
Fix XSS and info leak in options CGI - CVE-2018-5950
Diffstat (limited to '')
-rw-r--r--Mailman/Cgi/options.py32
-rw-r--r--NEWS10
2 files changed, 26 insertions, 16 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 93148af8..6608df4f 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2017 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -200,20 +200,6 @@ def main():
doc.set_language(userlang)
i18n.set_language(userlang)
- # See if this is VARHELP on topics.
- varhelp = None
- if cgidata.has_key('VARHELP'):
- varhelp = cgidata['VARHELP'].value
- elif os.environ.get('QUERY_STRING'):
- # POST methods, even if their actions have a query string, don't get
- # put into FieldStorage's keys :-(
- qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
- if qs and type(qs) == types.ListType:
- varhelp = qs[0]
- if varhelp:
- topic_details(mlist, doc, user, cpuser, userlang, varhelp)
- return
-
# Are we processing an unsubscription request from the login screen?
msgc = _('If you are a list member, a confirmation email has been sent.')
msga = _("""If you are a list member, your unsubscription request has been
@@ -340,6 +326,22 @@ def main():
print doc.Format()
return
+ # See if this is VARHELP on topics.
+ varhelp = None
+ if cgidata.has_key('VARHELP'):
+ varhelp = cgidata['VARHELP'].value
+ elif os.environ.get('QUERY_STRING'):
+ # POST methods, even if their actions have a query string, don't get
+ # put into FieldStorage's keys :-(
+ qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+ if qs and type(qs) == types.ListType:
+ varhelp = qs[0]
+ if varhelp:
+ # Sanitize the topic name.
+ varhelp = re.sub('<.*', '', varhelp)
+ topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+ return
+
if cgidata.has_key('logout'):
print mlist.ZapCookie(mm_cfg.AuthUser, user)
loginpage(mlist, doc, user, language)
diff --git a/NEWS b/NEWS
index b1af8bfb..5f66485c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,15 @@ Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
Here is a history of user visible changes to Mailman.
-2.1.26 (xx-xxx-xxxx)
+2.1.26 (04-Feb-2018)
+
+ Security
+
+ - An XSS vulnerability in the user options CGI could allow a crafted URL
+ to execute arbitrary javascript in a user's browser. A related issue
+ could expose information on a user's options page without requiring
+ login. These are fixed. Thanks to Calum Hutton for the report.
+ CVE-2018-5950 (LP: #1747209)
New Features