Defended against a user submitting URLs with query fragments or POST

data containing multiple occurrences of the same variable.

3 files changed, 28 insertions, 0 deletions

diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index c400e9fb..7b2c70b5 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -129,6 +129,14 @@ def main():
             return
     else:
         user = Utils.LCDomain(Utils.UnobscureEmail(SLASH.join(parts[1:])))
+    # If a user submits a form or URL with post data or query fragments
+    # with multiple occurrences of the same variable, we can get a list
+    # here.  Be as careful as possible.
+    if isinstance(user, list) or isinstance(user, tuple):
+        if len(user) == 0:
+            user = ''
+        else:
+            user = user[-1]
 
     # Avoid cross-site scripting attacks
     safeuser = Utils.websafe(user)
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index fe513c8e..f22e45b4 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -234,6 +234,14 @@ _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
 
 def ValidateEmail(s):
     """Verify that an email address isn't grossly evil."""
+    # If a user submits a form or URL with post data or query fragments
+    # with multiple occurrences of the same variable, we can get a list
+    # here.  Be as careful as possible.
+    if isinstance(s, list) or isinstance(s, tuple):
+        if len(s) == 0:
+            s = ''
+        else:
+            s = s[-1]
     # Pretty minimal, cheesy check.  We could do better...
     if not s or s.count(' ') > 0:
         raise Errors.MMBadEmailError
@@ -454,6 +462,14 @@ def check_global_password(response, siteadmin=True):
 
 _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
 def websafe(s):
+    # If a user submits a form or URL with post data or query fragments
+    # with multiple occurrences of the same variable, we can get a list
+    # here.  Be as careful as possible.
+    if isinstance(s, list) or isinstance(s, tuple):
+        if len(s) == 0:
+            s = ''
+        else:
+            s = s[-1]
     if mm_cfg.BROKEN_BROWSER_WORKAROUND:
         # Archiver can pass unicode here. Just skip them as the
         # archiver escapes non-ascii anyway.
diff --git a/NEWS b/NEWS
index e01d76df..193e3fec 100755
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,10 @@ Here is a history of user visible changes to Mailman.
 
   Bug fixes and other patches
 
+    - Defended against a user submitting URLs with query fragments or POST
+      data containing multiple occurrences of the same variable.
+      (LP: #1496632)
+
     - Fixed bin/mailmanctl to check its effective rather than real uid.
       (LP: #1491187)