Fix XSS bug: Thanks Moritz Naumann. (CVE-2006-1512)

author: tkikuchi <> 2006-04-04 23:47:14 +0000
committer: tkikuchi <> 2006-04-04 23:47:14 +0000
commit: 369a0c8bf117099edb3761b38eadda68ad1cfefc (patch)
tree: 485881e1540d4f0a899713dda657f98d524b9494 /Mailman
parent: 31fc369a3fa0853bc71e4282d3863a7750a8ad7f (diff)
download: mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.tar.gz
mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.tar.xz
mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 35b38dea..86608418 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -148,9 +148,10 @@ def main():
         # page don't work.
         if true_filename.endswith('/index.html') and parts[-1] <> 'index.html':
             action += SLASH
+        # Escape web input parameter to avoid cross-site scripting.
         print Utils.maketext(
             'private.html',
-            {'action'  : action,
+            {'action'  : Utils.websafe(action),
              'realname': mlist.real_name,
              'message' : message,
              }, mlist=mlist)
author	tkikuchi <>	2006-04-04 23:47:14 +0000
committer	tkikuchi <>	2006-04-04 23:47:14 +0000
commit	369a0c8bf117099edb3761b38eadda68ad1cfefc (patch)
tree	485881e1540d4f0a899713dda657f98d524b9494 /Mailman
parent	31fc369a3fa0853bc71e4282d3863a7750a8ad7f (diff)
download	mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.tar.gz mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.tar.xz mailman2-369a0c8bf117099edb3761b38eadda68ad1cfefc.zip