sync with lp:mailman/2.1 rev 1744 (2.1.26)

author: Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp> 2018-02-05 02:58:21 +0900
committer: Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp> 2018-02-05 02:58:21 +0900
commit: 042a223d0eb6240e2a5e843769be76b378ac08b3 (patch)
tree: e639d85523e7a27d292900140f244aedc48a1acd
parent: 0627aae9ef10fb96adaaa0a27e10f314bf7ee61b (diff)
parent: efb0588b6eca8063fcefdd376335322db1cbb758 (diff)
download: mailman2-042a223d0eb6240e2a5e843769be76b378ac08b3.tar.gz
mailman2-042a223d0eb6240e2a5e843769be76b378ac08b3.tar.xz
mailman2-042a223d0eb6240e2a5e843769be76b378ac08b3.zip
4 files changed, 29 insertions, 21 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index bab460b6..428834ba 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -21,7 +21,6 @@
 # No lock needed in this script, because we don't change data.
 
 import os
-import re
 import cgi
 import time
 
@@ -246,14 +245,13 @@ def list_listinfo(mlist, lang):
     replacements['<mm-fullname-box>'] = mlist.FormatBox('fullname', size=30)
     # If reCAPTCHA is enabled, display its user interface
     if mm_cfg.RECAPTCHA_SITE_KEY:
-        rlang = re.sub('_', '-', lang)
         replacements['<mm-recaptcha-ui>'] = (
             """<tr><td>&nbsp;</td><td>
             <script src="https://www.google.com/recaptcha/api.js?hl=%s">
             </script>
             <div class="g-recaptcha" data-sitekey="%s"></div>
             </td></tr>"""
-            % (rlang, mm_cfg.RECAPTCHA_SITE_KEY))
+            % (lang, mm_cfg.RECAPTCHA_SITE_KEY))
     else:
         replacements['<mm-recaptcha-ui>'] = ''
 
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 93148af8..6608df4f 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2017 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -200,20 +200,6 @@ def main():
     doc.set_language(userlang)
     i18n.set_language(userlang)
 
-    # See if this is VARHELP on topics.
-    varhelp = None
-    if cgidata.has_key('VARHELP'):
-        varhelp = cgidata['VARHELP'].value
-    elif os.environ.get('QUERY_STRING'):
-        # POST methods, even if their actions have a query string, don't get
-        # put into FieldStorage's keys :-(
-        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
-        if qs and type(qs) == types.ListType:
-            varhelp = qs[0]
-    if varhelp:
-        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
-        return
-
     # Are we processing an unsubscription request from the login screen?
     msgc = _('If you are a list member, a confirmation email has been sent.')
     msga = _("""If you are a list member, your unsubscription request has been
@@ -340,6 +326,22 @@ def main():
         print doc.Format()
         return
 
+    # See if this is VARHELP on topics.
+    varhelp = None
+    if cgidata.has_key('VARHELP'):
+        varhelp = cgidata['VARHELP'].value
+    elif os.environ.get('QUERY_STRING'):
+        # POST methods, even if their actions have a query string, don't get
+        # put into FieldStorage's keys :-(
+        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+        if qs and type(qs) == types.ListType:
+            varhelp = qs[0]
+    if varhelp:
+        # Sanitize the topic name.
+        varhelp = re.sub('<.*', '', varhelp)
+        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+        return
+
     if cgidata.has_key('logout'):
         print mlist.ZapCookie(mm_cfg.AuthUser, user)
         loginpage(mlist, doc, user, language)
diff --git a/Mailman/Version.py b/Mailman/Version.py
index 28ac4daf..1a5775b3 100644
--- a/Mailman/Version.py
+++ b/Mailman/Version.py
@@ -16,7 +16,7 @@
 # USA.
 
 # Mailman version
-VERSION = '2.1.25'
+VERSION = '2.1.26'
 
 # And as a hex number in the manner of PY_VERSION_HEX
 ALPHA = 0xa
@@ -28,7 +28,7 @@ FINAL = 0xf
 
 MAJOR_REV = 2
 MINOR_REV = 1
-MICRO_REV = 25
+MICRO_REV = 26
 REL_LEVEL = FINAL
 # at most 15 beta releases!
 REL_SERIAL = 0
diff --git a/NEWS b/NEWS
index b1af8bfb..5f66485c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,15 @@ Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.26 (xx-xxx-xxxx)
+2.1.26 (04-Feb-2018)
+
+  Security
+
+    - An XSS vulnerability in the user options CGI could allow a crafted URL
+      to execute arbitrary javascript in a user's browser.  A related issue
+      could expose information on a user's options page without requiring
+      login.  These are fixed.  Thanks to Calum Hutton for the report.
+      CVE-2018-5950  (LP: #1747209)
 
   New Features
author	Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp>	2018-02-05 02:58:21 +0900
committer	Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp>	2018-02-05 02:58:21 +0900
commit	042a223d0eb6240e2a5e843769be76b378ac08b3 (patch)
tree	e639d85523e7a27d292900140f244aedc48a1acd
parent	0627aae9ef10fb96adaaa0a27e10f314bf7ee61b (diff)
parent	efb0588b6eca8063fcefdd376335322db1cbb758 (diff)
download	mailman2-042a223d0eb6240e2a5e843769be76b378ac08b3.tar.gz mailman2-042a223d0eb6240e2a5e843769be76b378ac08b3.tar.xz mailman2-042a223d0eb6240e2a5e843769be76b378ac08b3.zip