aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--Mailman/Utils.py21
-rw-r--r--NEWS7
2 files changed, 22 insertions, 6 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 49121e28..7b8015a4 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -280,17 +280,28 @@ CRNLpat = re.compile(r'[^\x21-\x7e]')
def GetPathPieces(envar='PATH_INFO'):
path = os.environ.get(envar)
if path:
+ remote = os.environ.get('HTTP_FORWARDED_FOR',
+ os.environ.get('HTTP_X_FORWARDED_FOR',
+ os.environ.get('REMOTE_ADDR',
+ 'unidentified origin')))
if CRNLpat.search(path):
path = CRNLpat.split(path)[0]
- remote = os.environ.get('HTTP_FORWARDED_FOR',
- os.environ.get('HTTP_X_FORWARDED_FOR',
- os.environ.get('REMOTE_ADDR',
- 'unidentified origin')))
syslog('error',
'Warning: Possible malformed path attack domain=%s remote=%s',
get_domain(),
remote)
- return [p for p in path.split('/') if p]
+ # Check for listname injections that won't be websafed.
+ pieces = [p for p in path.split('/') if p]
+ # Get the longest listname or 20 if none.
+ if list_names():
+ longest = max([len(x) for x in list_names()])
+ else:
+ longest = 20
+ if len(pieces[0]) > longest:
+ syslog('mischief',
+ 'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
+ pieces[0] = pieces[0][:longest] + '...'
+ return pieces
return None
diff --git a/NEWS b/NEWS
index 041fc7cc..b22c7a90 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,12 @@ Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
Here is a history of user visible changes to Mailman.
-2.1.28 (xx-xxx-xxxx)
+2.1.28 (23-Jul-2018)
+
+ Security
+
+ - A content spoofing vulnerability with invalid list name messages in
+ the web UI has been fixed. CVE-2018-13796 (LP: #1780874)
New Features