diff options
| author | Mark Sapiro <mark@msapiro.net> | 2018-07-23 07:07:29 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2018-07-23 07:07:29 -0700 |
| commit | 0a86542dae3279874f731052f2a8fe9a41596940 (patch) | |
| tree | fd68ad86db8d6ccf770dad96e48f6b47995d69f4 /Mailman | |
| parent | 84db4a8d468922e0c5a7c8ecceda1d0c8ec55168 (diff) | |
| download | mailman2-0a86542dae3279874f731052f2a8fe9a41596940.tar.gz mailman2-0a86542dae3279874f731052f2a8fe9a41596940.tar.xz mailman2-0a86542dae3279874f731052f2a8fe9a41596940.zip | |
Truncate long invalid list names in web error messages.
Diffstat (limited to 'Mailman')
| -rw-r--r-- | Mailman/Utils.py | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 49121e28..7b8015a4 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -280,17 +280,28 @@ CRNLpat = re.compile(r'[^\x21-\x7e]') def GetPathPieces(envar='PATH_INFO'): path = os.environ.get(envar) if path: + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) if CRNLpat.search(path): path = CRNLpat.split(path)[0] - remote = os.environ.get('HTTP_FORWARDED_FOR', - os.environ.get('HTTP_X_FORWARDED_FOR', - os.environ.get('REMOTE_ADDR', - 'unidentified origin'))) syslog('error', 'Warning: Possible malformed path attack domain=%s remote=%s', get_domain(), remote) - return [p for p in path.split('/') if p] + # Check for listname injections that won't be websafed. + pieces = [p for p in path.split('/') if p] + # Get the longest listname or 20 if none. + if list_names(): + longest = max([len(x) for x in list_names()]) + else: + longest = 20 + if len(pieces[0]) > longest: + syslog('mischief', + 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) + pieces[0] = pieces[0][:longest] + '...' + return pieces return None |