diff options
author | tkikuchi <> | 2006-04-04 23:47:14 +0000 |
---|---|---|
committer | tkikuchi <> | 2006-04-04 23:47:14 +0000 |
commit | 369a0c8bf117099edb3761b38eadda68ad1cfefc (patch) | |
tree | 485881e1540d4f0a899713dda657f98d524b9494 /Mailman/Cgi | |
parent | 31fc369a3fa0853bc71e4282d3863a7750a8ad7f (diff) | |
download | mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.tar.gz mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.tar.xz mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.zip |
Fix XSS bug: Thanks Moritz Naumann. (CVE-2006-1512)
Diffstat (limited to 'Mailman/Cgi')
-rw-r--r-- | Mailman/Cgi/private.py | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py index 35b38dea..86608418 100644 --- a/Mailman/Cgi/private.py +++ b/Mailman/Cgi/private.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -148,9 +148,10 @@ def main(): # page don't work. if true_filename.endswith('/index.html') and parts[-1] <> 'index.html': action += SLASH + # Escape web input parameter to avoid cross-site scripting. print Utils.maketext( 'private.html', - {'action' : action, + {'action' : Utils.websafe(action), 'realname': mlist.real_name, 'message' : message, }, mlist=mlist) |