aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortkikuchi <>2006-04-04 23:47:14 +0000
committertkikuchi <>2006-04-04 23:47:14 +0000
commit369a0c8bf117099edb3761b38eadda68ad1cfefc (patch)
tree485881e1540d4f0a899713dda657f98d524b9494
parent31fc369a3fa0853bc71e4282d3863a7750a8ad7f (diff)
downloadmailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.tar.gz
mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.tar.xz
mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.zip
Fix XSS bug: Thanks Moritz Naumann. (CVE-2006-1512)
-rw-r--r--Mailman/Cgi/private.py5
1 files changed, 3 insertions, 2 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 35b38dea..86608418 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -148,9 +148,10 @@ def main():
# page don't work.
if true_filename.endswith('/index.html') and parts[-1] <> 'index.html':
action += SLASH
+ # Escape web input parameter to avoid cross-site scripting.
print Utils.maketext(
'private.html',
- {'action' : action,
+ {'action' : Utils.websafe(action),
'realname': mlist.real_name,
'message' : message,
}, mlist=mlist)