diff options
| author | Mark Sapiro <mark@msapiro.net> | 2019-03-01 18:24:14 -0800 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2019-03-01 18:24:14 -0800 |
| commit | d42ff460f48550f01b7cf97935df4bcdfb829373 (patch) | |
| tree | 8f70ea1c5ea7f69dcda606eb9b6f338edc74d222 | |
| parent | dd5dc51fc773b56c6f4b33ab739d2b148ec45337 (diff) | |
| download | mailman2-d42ff460f48550f01b7cf97935df4bcdfb829373.tar.gz mailman2-d42ff460f48550f01b7cf97935df4bcdfb829373.tar.xz mailman2-d42ff460f48550f01b7cf97935df4bcdfb829373.zip | |
Implement MAX_LISTNAME_LENGTH to avoid calculating on each web access.
| -rwxr-xr-x | Mailman/Defaults.py.in | 9 | ||||
| -rw-r--r-- | Mailman/Utils.py | 13 | ||||
| -rw-r--r-- | NEWS | 7 |
3 files changed, 25 insertions, 4 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 5e158e5b..fabd95bd 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -166,6 +166,15 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' # character that doesn't match this class. Do not include '/' in this list. ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' +# The number of characters in the longest listname in the installation. The +# fix for LP: #1780874 truncates list names in web URLs to this length to avoid +# a content spoofing vulnerability. If this is left at its default value of +# 0, the length of the longest listname is calculated on every web access. +# This can have performance implications in installations with a very large +# number of lists. To use this feature to avoid the calculation, set this to +# a number equal to the length of the longest expected valid list name. +MAX_LISTNAME_LENGTH = 0 + # Shall the user's real names be displayed along with their email addresses # in list rosters? Defaults to No to preserve prior behavior. ROSTER_DISPLAY_REALNAME = No diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 47e4e5cc..10629fc4 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -292,11 +292,16 @@ def GetPathPieces(envar='PATH_INFO'): remote) # Check for listname injections that won't be websafed. pieces = [p for p in path.split('/') if p] - # Get the longest listname or 20 if none. - if list_names(): - longest = max([len(x) for x in list_names()]) + # Get the longest listname or 20 if none or use MAX_LISTNAME_LENGTH if + # provided > 0. + if mm_cfg.MAX_LISTNAME_LENGTH > 0: + longest = mm_cfg.MAX_LISTNAME_LENGTH else: - longest = 20 + lst_names = list_names() + if lst_names: + longest = max([len(x) for x in lst_names]) + else: + longest = 20 if pieces and len(pieces[0]) > longest: syslog('mischief', 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) @@ -14,6 +14,13 @@ Here is a history of user visible changes to Mailman. From: addresses listed or matching listed regexps. This can be used to modify mail to addresses that don't accept external mail From: themselves. + + - There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874 + obtains a list of the names of all the all the lists in the installation + in order to determine the maximum length of a legitimate list name. It + does this on every web access and on sites with a very large number of + lists, this can have performance implications. See the description in + Defaults.py for more information. Bug Fixes and other patches |