aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbwarsaw <>2003-09-28 16:04:06 +0000
committerbwarsaw <>2003-09-28 16:04:06 +0000
commit6968ea49785c35af0acedb38917e3a9bd013b0a9 (patch)
tree5ace4de45dab077f02a93e637b20bee31e1228d3
parentd666f545ea57d63e7fb68d3e5058182894a77f0c (diff)
downloadmailman2-6968ea49785c35af0acedb38917e3a9bd013b0a9.tar.gz
mailman2-6968ea49785c35af0acedb38917e3a9bd013b0a9.tar.xz
mailman2-6968ea49785c35af0acedb38917e3a9bd013b0a9.zip
process_request(), request_creation(): Close cross-site scripting
exploits found by Ned Dawes. Also, whitespace normalization. Backported from HEAD.
-rw-r--r--Mailman/Cgi/create.py34
1 files changed, 20 insertions, 14 deletions
diff --git a/Mailman/Cgi/create.py b/Mailman/Cgi/create.py
index 31e16269..79df14a5 100644
--- a/Mailman/Cgi/create.py
+++ b/Mailman/Cgi/create.py
@@ -1,17 +1,17 @@
-# Copyright (C) 2001,2002 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2003 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
-#
+#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
"""Create mailing lists through the web."""
@@ -87,7 +87,7 @@ def process_request(doc, cgidata):
moderate = int(cgidata.getvalue('moderate', '0'))
except ValueError:
moderate = mm_cfg.DEFAULT_DEFAULT_MEMBER_MODERATION
-
+
password = cgidata.getvalue('password', '').strip()
confirm = cgidata.getvalue('confirm', '').strip()
auth = cgidata.getvalue('auth', '').strip()
@@ -96,15 +96,17 @@ def process_request(doc, cgidata):
if type(langs) <> ListType:
langs = [langs]
# Sanity check
+ safelistname = Utils.websafe(listname)
if '@' in listname:
request_creation(doc, cgidata,
- _('List name must not include "@": %(listname)s'))
+ _('List name must not include "@": %(safelistname)s'))
return
if Utils.list_exists(listname):
# BAW: should we tell them the list already exists? This could be
# used to mine/guess the existance of non-advertised lists. Then
# again, that can be done in other ways already, so oh well.
- request_creation(doc, cgidata, _('List already exists: %(listname)s'))
+ request_creation(doc, cgidata,
+ _('List already exists: %(safelistname)s'))
return
if not listname:
request_creation(doc, cgidata,
@@ -194,7 +196,7 @@ def process_request(doc, cgidata):
_('''Some unknown error occurred while creating the list.
Please contact the site administrator for assistance.'''))
return
-
+
# Initialize the host_name and web_page_url attributes, based on
# virtual hosting settings and the request environment variables.
hostname = Utils.get_domain()
@@ -222,8 +224,8 @@ def process_request(doc, cgidata):
text = Utils.maketext(
'newlist.txt',
{'listname' : listname,
- 'password' : password,
- 'admin_url' : mlist.GetScriptURL('admin', absolute=1),
+ 'password' : password,
+ 'admin_url' : mlist.GetScriptURL('admin', absolute=1),
'listinfo_url': mlist.GetScriptURL('listinfo', absolute=1),
'requestaddr' : mlist.GetRequestEmail(),
'siteowner' : siteadmin,
@@ -309,13 +311,15 @@ def request_creation(doc, cgidata=dummy, errmsg=None):
ftable.AddRow([Center(Italic(_('List Identity')))])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2)
+ safelistname = Utils.websafe(cgidata.getvalue('listname', ''))
ftable.AddRow([Label(_('Name of list:')),
- TextBox('listname', cgidata.getvalue('listname', ''))])
+ TextBox('listname', safelistname)])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
+ safeowner = Utils.websafe(cgidata.getvalue('owner', ''))
ftable.AddRow([Label(_('Initial list owner address:')),
- TextBox('owner', cgidata.getvalue('owner', ''))])
+ TextBox('owner', safeowner)])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
@@ -330,13 +334,15 @@ def request_creation(doc, cgidata=dummy, errmsg=None):
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
+ safepasswd = Utils.websafe(cgidata.getvalue('password', ''))
ftable.AddRow([Label(_('Initial list password:')),
- PasswordBox('password', cgidata.getvalue('password', ''))])
+ PasswordBox('password', safepasswd)])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
+ safeconfirm = Utils.websafe(cgidata.getvalue('confirm', ''))
ftable.AddRow([Label(_('Confirm initial password:')),
- PasswordBox('confirm', cgidata.getvalue('confirm', ''))])
+ PasswordBox('confirm', safeconfirm)])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)