aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman
diff options
context:
space:
mode:
authorbwarsaw <>2003-12-13 16:27:42 +0000
committerbwarsaw <>2003-12-13 16:27:42 +0000
commite4e38ef99ec8c747dfe2cf60b60b6271301a3244 (patch)
tree454586431aea30ab51a36c365fb0c1ac246ef16c /Mailman
parent4f6536f779a1142e0f0487e2285a659219f41a10 (diff)
downloadmailman2-e4e38ef99ec8c747dfe2cf60b60b6271301a3244.tar.gz
mailman2-e4e38ef99ec8c747dfe2cf60b60b6271301a3244.tar.xz
mailman2-e4e38ef99ec8c747dfe2cf60b60b6271301a3244.zip
handleForm(): Close some cross-site scripting holes found by Dirk
Mueller.
Diffstat (limited to '')
-rw-r--r--Mailman/Gui/GUIBase.py8
-rw-r--r--Mailman/Gui/Topics.py1
2 files changed, 5 insertions, 4 deletions
diff --git a/Mailman/Gui/GUIBase.py b/Mailman/Gui/GUIBase.py
index 8e9171d6..a5437009 100644
--- a/Mailman/Gui/GUIBase.py
+++ b/Mailman/Gui/GUIBase.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2002 by the Free Software Foundation, Inc.
+# Copyright (C) 2002-2003 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -140,11 +140,11 @@ class GUIBase:
elif not cgidata.has_key(property):
continue
elif isinstance(cgidata[property], ListType):
- val = [x.value for x in cgidata[property]]
+ val = [Utils.websafe(x.value) for x in cgidata[property]]
else:
- val = cgidata[property].value
+ val = Utils.websafe(cgidata[property].value)
# Coerce the value to the expected type, raising exceptions if the
- # value is invalid
+ # value is invalid.
try:
val = self._getValidValue(mlist, property, wtype, val)
except ValueError:
diff --git a/Mailman/Gui/Topics.py b/Mailman/Gui/Topics.py
index 5f6de8d8..76bfd1e4 100644
--- a/Mailman/Gui/Topics.py
+++ b/Mailman/Gui/Topics.py
@@ -120,6 +120,7 @@ class Topics(GUIBase):
a pattern. Incomplete topics will be ignored."""))
continue
# Make sure the pattern was a legal regular expression
+ name = Utils.websafe(name)
try:
re.compile(pattern)
except (re.error, TypeError):