diff options
| author | Mark Sapiro <mark@msapiro.net> | 2015-03-27 14:12:16 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2015-03-27 14:12:16 -0700 |
| commit | d3124395a3abfe0ccd9f1c37096292bfbe939a85 (patch) | |
| tree | b467552f192b40d48b13697a5d0ba1e407136abf /Mailman | |
| parent | f7f85e8b85b027a919705895f80b63c5d03d727c (diff) | |
| download | mailman2-d3124395a3abfe0ccd9f1c37096292bfbe939a85.tar.gz mailman2-d3124395a3abfe0ccd9f1c37096292bfbe939a85.tar.xz mailman2-d3124395a3abfe0ccd9f1c37096292bfbe939a85.zip | |
Fix for path traversal vulnerability.
Diffstat (limited to 'Mailman')
| -rwxr-xr-x | Mailman/Defaults.py.in | 2 | ||||
| -rw-r--r-- | Mailman/Utils.py | 6 |
2 files changed, 7 insertions, 1 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 068a7dab..9e9e93af 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -138,7 +138,7 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' # A Python regular expression character class which defines the characters # allowed in list names. Lists cannot be created with names containing any -# character that doesn't match this class. +# character that doesn't match this class. Do not include '/' in this list. ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' # Shall the user's real names be displayed along with their email addresses diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 13c4ed8b..1cd1cdb7 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -100,6 +100,12 @@ def list_exists(listname): # # The former two are for 2.1alpha3 and beyond, while the latter two are # for all earlier versions. + # + # But first ensure the list name doesn't contain a path traversal + # attack. + if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: + syslog('mischief', 'Hostile listname: %s', listname) + return False basepath = Site.get_listpath(listname) for ext in ('.pck', '.pck.last', '.db', '.db.last'): dbfile = os.path.join(basepath, 'config' + ext) |