diff options
| author | Mark Sapiro <mark@msapiro.net> | 2018-02-04 08:41:19 -0800 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2018-02-04 08:41:19 -0800 |
| commit | 2dfcd18a5d2982f2f21ff02539f992ba5041808c (patch) | |
| tree | fa2bdc690c692e719f9c61e0244e04820c504393 | |
| parent | bcd476a43f2365a48db8c17d0a7076b6a2e0ce92 (diff) | |
| download | mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.tar.gz mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.tar.xz mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.zip | |
Fix XSS and info leak in options CGI - CVE-2018-5950
| -rw-r--r-- | Mailman/Cgi/options.py | 32 | ||||
| -rw-r--r-- | NEWS | 10 |
2 files changed, 26 insertions, 16 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 93148af8..6608df4f 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2017 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -200,20 +200,6 @@ def main(): doc.set_language(userlang) i18n.set_language(userlang) - # See if this is VARHELP on topics. - varhelp = None - if cgidata.has_key('VARHELP'): - varhelp = cgidata['VARHELP'].value - elif os.environ.get('QUERY_STRING'): - # POST methods, even if their actions have a query string, don't get - # put into FieldStorage's keys :-( - qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP') - if qs and type(qs) == types.ListType: - varhelp = qs[0] - if varhelp: - topic_details(mlist, doc, user, cpuser, userlang, varhelp) - return - # Are we processing an unsubscription request from the login screen? msgc = _('If you are a list member, a confirmation email has been sent.') msga = _("""If you are a list member, your unsubscription request has been @@ -340,6 +326,22 @@ def main(): print doc.Format() return + # See if this is VARHELP on topics. + varhelp = None + if cgidata.has_key('VARHELP'): + varhelp = cgidata['VARHELP'].value + elif os.environ.get('QUERY_STRING'): + # POST methods, even if their actions have a query string, don't get + # put into FieldStorage's keys :-( + qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP') + if qs and type(qs) == types.ListType: + varhelp = qs[0] + if varhelp: + # Sanitize the topic name. + varhelp = re.sub('<.*', '', varhelp) + topic_details(mlist, doc, user, cpuser, userlang, varhelp) + return + if cgidata.has_key('logout'): print mlist.ZapCookie(mm_cfg.AuthUser, user) loginpage(mlist, doc, user, language) @@ -5,7 +5,15 @@ Copyright (C) 1998-2018 by the Free Software Foundation, Inc. Here is a history of user visible changes to Mailman. -2.1.26 (xx-xxx-xxxx) +2.1.26 (04-Feb-2018) + + Security + + - An XSS vulnerability in the user options CGI could allow a crafted URL + to execute arbitrary javascript in a user's browser. A related issue + could expose information on a user's options page without requiring + login. These are fixed. Thanks to Calum Hutton for the report. + CVE-2018-5950 (LP: #1747209) New Features |