diff options
author | bwarsaw <> | 2006-08-30 14:54:22 +0000 |
---|---|---|
committer | bwarsaw <> | 2006-08-30 14:54:22 +0000 |
commit | 0cee915eeb5f8f99ed036d257b1103c28373eb5b (patch) | |
tree | 1489a315aaa485d4c1aa91762b63a232fb23149d | |
parent | 14bb48657eae40f5ef80adeebd021d6a186e2cd2 (diff) | |
download | mailman2-0cee915eeb5f8f99ed036d257b1103c28373eb5b.tar.gz mailman2-0cee915eeb5f8f99ed036d257b1103c28373eb5b.tar.xz mailman2-0cee915eeb5f8f99ed036d257b1103c28373eb5b.zip |
CVE-2006-3636. Fixes for various cross-site scripting issues. Discovery by
Moritz Naumann and most of the repair work done by Mark Sapiro (with some
additional work by Barry).
-rw-r--r-- | Mailman/Cgi/admin.py | 15 | ||||
-rw-r--r-- | Mailman/Cgi/admindb.py | 6 | ||||
-rw-r--r-- | Mailman/Cgi/create.py | 25 | ||||
-rw-r--r-- | Mailman/Cgi/edithtml.py | 3 | ||||
-rw-r--r-- | Mailman/Cgi/options.py | 4 | ||||
-rw-r--r-- | Mailman/Gui/General.py | 9 | ||||
-rw-r--r-- | Mailman/HTMLFormatter.py | 11 | ||||
-rw-r--r-- | Mailman/Utils.py | 2 | ||||
-rw-r--r-- | Mailman/htmlformat.py | 17 | ||||
-rw-r--r-- | NEWS | 8 |
10 files changed, 67 insertions, 33 deletions
diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py index 8434c817..f70a0721 100644 --- a/Mailman/Cgi/admin.py +++ b/Mailman/Cgi/admin.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -1318,6 +1318,7 @@ def change_options(mlist, category, subcat, cgidata, doc): # we display. Try uploading a file with 10k names -- it takes a while # to render the status page. for entry in entries: + safeentry = Utils.websafe(entry) fullname, address = parseaddr(entry) # Canonicalize the full name fullname = Utils.canonstr(fullname, mlist.preferred_language) @@ -1335,20 +1336,20 @@ def change_options(mlist, category, subcat, cgidata, doc): send_admin_notif, invitation, whence='admin mass sub') except Errors.MMAlreadyAMember: - subscribe_errors.append((entry, _('Already a member'))) + subscribe_errors.append((safeentry, _('Already a member'))) except Errors.MMBadEmailError: if userdesc.address == '': subscribe_errors.append((_('<blank line>'), _('Bad/Invalid email address'))) else: - subscribe_errors.append((entry, + subscribe_errors.append((safeentry, _('Bad/Invalid email address'))) except Errors.MMHostileAddress: subscribe_errors.append( - (entry, _('Hostile address (illegal characters)'))) + (safeentry, _('Hostile address (illegal characters)'))) except Errors.MembershipIsBanned, pattern: subscribe_errors.append( - (entry, _('Banned address (matched %(pattern)s)'))) + (safeentry, _('Banned address (matched %(pattern)s)'))) else: member = Utils.uncanonstr(formataddr((fullname, address))) subscribe_success.append(Utils.websafe(member)) @@ -1388,9 +1389,9 @@ def change_options(mlist, category, subcat, cgidata, doc): addr, whence='admin mass unsub', admin_notif=send_unsub_notifications, userack=userack) - unsubscribe_success.append(addr) + unsubscribe_success.append(Utils.websafe(addr)) except Errors.NotAMemberError: - unsubscribe_errors.append(addr) + unsubscribe_errors.append(Utils.websafe(addr)) if unsubscribe_success: doc.AddItem(Header(5, _('Successfully Unsubscribed:'))) doc.AddItem(UnorderedList(*unsubscribe_success)) diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py index 7f42c8ac..f36daae0 100644 --- a/Mailman/Cgi/admindb.py +++ b/Mailman/Cgi/admindb.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -313,7 +313,7 @@ def show_pending_subs(mlist, form): ' ' + _('Permanently ban from this list') # While the address may be a unicode, it must be ascii paddr = addr.encode('us-ascii', 'replace') - table.AddRow(['%s<br><em>%s</em>' % (paddr, fullname), + table.AddRow(['%s<br><em>%s</em>' % (paddr, Utils.websafe(fullname)), radio, TextBox('comment-%d' % id, size=40) ]) @@ -357,7 +357,7 @@ def show_pending_unsubs(mlist, form): mlist.HandleRequest(id, mm_cfg.DISCARD) continue num += 1 - table.AddRow(['%s<br><em>%s</em>' % (addr, fullname), + table.AddRow(['%s<br><em>%s</em>' % (addr, Utils.websafe(fullname)), RadioButtonArray(id, (_('Defer'), _('Approve'), _('Reject'), diff --git a/Mailman/Cgi/create.py b/Mailman/Cgi/create.py index 603a78e7..50f06070 100644 --- a/Mailman/Cgi/create.py +++ b/Mailman/Cgi/create.py @@ -1,4 +1,4 @@ -# Copyright (C) 2001-2005 by the Free Software Foundation, Inc. +# Copyright (C) 2001-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -190,15 +190,24 @@ def process_request(doc, cgidata): mlist.Create(listname, owner, pw, langs, emailhost) finally: os.umask(oldmask) - except Errors.EmailAddressError, s: + except Errors.EmailAddressError, e: + if e.args: + s = Utils.websafe(e.args[0]) + else: + s = Utils.websafe(owner) request_creation(doc, cgidata, _('Bad owner email address: %(s)s')) return except Errors.MMListAlreadyExistsError: + # MAS: List already exists so we don't need to websafe it. request_creation(doc, cgidata, _('List already exists: %(listname)s')) return - except Errors.BadListNameError, s: + except Errors.BadListNameError, e: + if e.args: + s = Utils.websafe(e.args[0]) + else: + s = Utils.websafe(listname) request_creation(doc, cgidata, _('Illegal list name: %(s)s')) return @@ -321,15 +330,17 @@ def request_creation(doc, cgidata=dummy, errmsg=None): ftable.AddRow([Center(Italic(_('List Identity')))]) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2) - safelistname = Utils.websafe(cgidata.getvalue('listname', '')) + listname = cgidata.getvalue('listname', '') + # MAS: Don't websafe twice. TextBox does it. ftable.AddRow([Label(_('Name of list:')), - TextBox('listname', safelistname)]) + TextBox('listname', listname)]) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) - safeowner = Utils.websafe(cgidata.getvalue('owner', '')) + owner = cgidata.getvalue('owner', '') + # MAS: Don't websafe twice. TextBox does it. ftable.AddRow([Label(_('Initial list owner address:')), - TextBox('owner', safeowner)]) + TextBox('owner', owner)]) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) diff --git a/Mailman/Cgi/edithtml.py b/Mailman/Cgi/edithtml.py index 9ec54cef..b5967b34 100644 --- a/Mailman/Cgi/edithtml.py +++ b/Mailman/Cgi/edithtml.py @@ -143,7 +143,8 @@ def FormatHTML(mlist, doc, template_name, template_info): doc.AddItem('<p>') doc.AddItem('<hr>') form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name) - text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist)) + text = Utils.maketext(template_name, raw=1, mlist=mlist) + # MAS: Don't websafe twice. TextArea does it. form.AddItem(TextArea('html_code', text, rows=40, cols=75)) form.AddItem('<p>' + _('When you are done making changes...')) form.AddItem(SubmitButton('submit', _('Submit Changes'))) diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index eb7adb67..d423f262 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -702,7 +702,7 @@ def options_page(mlist, doc, user, cpuser, userlang, message=''): fullname = Utils.uncanonstr(mlist.getMemberName(user), userlang) if fullname: - presentable_user += ', %s' % fullname + presentable_user += ', %s' % Utils.websafe(fullname) # Do replacements replacements = mlist.GetStandardReplacements(userlang) diff --git a/Mailman/Gui/General.py b/Mailman/Gui/General.py index 487e7e0d..6b03fd2c 100644 --- a/Mailman/Gui/General.py +++ b/Mailman/Gui/General.py @@ -1,4 +1,4 @@ -# Copyright (C) 2001-2005 by the Free Software Foundation, Inc. +# Copyright (C) 2001-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -12,7 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. """MailList mixin class managing the general options.""" @@ -439,13 +440,13 @@ class General(GUIBase): GUIBase._setValue(self, mlist, property, val, doc) def _escape(self, property, value): - # The 'info' property allows HTML, but lets sanitize it to avoid XSS + # The 'info' property allows HTML, but let's sanitize it to avoid XSS # exploits. Everything else should be fully escaped. if property <> 'info': return GUIBase._escape(self, property, value) # Sanitize <script> and </script> tags but nothing else. Not the best # solution, but expedient. - return re.sub(r'<([/]?script.*?)>', r'<\1>', value) + return re.sub(r'(?i)<([/]?script.*?)>', r'<\1>', value) def _postValidate(self, mlist, doc): if not mlist.reply_to_address.strip() and \ diff --git a/Mailman/HTMLFormatter.py b/Mailman/HTMLFormatter.py index e6afda9b..99ed96da 100644 --- a/Mailman/HTMLFormatter.py +++ b/Mailman/HTMLFormatter.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2003 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -12,7 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. """Routines for presentation of list-specific HTML text.""" @@ -332,8 +333,12 @@ class HTMLFormatter: return '</FORM>' def FormatBox(self, name, size=20, value=''): + if isinstance(value, str): + safevalue = Utils.websafe(value) + else: + safevalue = value return '<INPUT type="Text" name="%s" size="%d" value="%s">' % ( - name, size, value) + name, size, safevalue) def FormatSecureBox(self, name): return '<INPUT type="Password" name="%s" size="15">' % name diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 5c9707c7..10a589fd 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -205,7 +205,7 @@ def LCDomain(addr): _badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]') def ValidateEmail(s): - """Verify that the an email address isn't grossly evil.""" + """Verify that an email address isn't grossly evil.""" # Pretty minimal, cheesy check. We could do better... if not s or s.count(' ') > 0: raise Errors.MMBadEmailError diff --git a/Mailman/htmlformat.py b/Mailman/htmlformat.py index 1fe44d88..1a0bd22d 100644 --- a/Mailman/htmlformat.py +++ b/Mailman/htmlformat.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -12,7 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. """Library for program-based construction of an HTML documents. @@ -448,7 +449,11 @@ class PasswordBox(InputObj): class TextBox(InputObj): def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH): - InputObj.__init__(self, name, "TEXT", value, checked=0, size=size) + if isinstance(value, str): + safevalue = Utils.websafe(value) + else: + safevalue = value + InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size) class Hidden(InputObj): def __init__(self, name, value=''): @@ -457,8 +462,12 @@ class Hidden(InputObj): class TextArea: def __init__(self, name, text='', rows=None, cols=None, wrap='soft', readonly=0): + if isinstance(text, str): + safetext = Utils.websafe(text) + else: + safetext = text self.name = name - self.text = text + self.text = safetext self.rows = rows self.cols = cols self.wrap = wrap @@ -13,6 +13,12 @@ Here is a history of user visible changes to Mailman. unsuspecting administrator to visit a phishing site. This has been blocked. Thanks to Moritz Naumann for its discovery. + - Fixed denial of service attack which can be caused by some + standards-breaking RFC 2231 formatted headers. CVE-2006-2941. + + - Several cross-site scripting issues have been fixed. Thanks to Moritz + Naumann for their discovery. CVE-2006-3636 + Internationalization - New languages: Arabic, Vietnamese. @@ -26,7 +32,7 @@ Here is a history of user visible changes to Mailman. - Switchboard.py - Closed very tiny holes at the upper ends of queue slices that could result in unprocessable queue entries. Improved FIFO processing when two queue entries have the same timestamp. - + 2.1.8 (15-Apr-2006) Security |