5 files changed, 47 insertions, 7 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index c400e9fb..7b2c70b5 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -129,6 +129,14 @@ def main():
             return
     else:
         user = Utils.LCDomain(Utils.UnobscureEmail(SLASH.join(parts[1:])))
+    # If a user submits a form or URL with post data or query fragments
+    # with multiple occurrences of the same variable, we can get a list
+    # here.  Be as careful as possible.
+    if isinstance(user, list) or isinstance(user, tuple):
+        if len(user) == 0:
+            user = ''
+        else:
+            user = user[-1]
 
     # Avoid cross-site scripting attacks
     safeuser = Utils.websafe(user)
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
index 3bb9bc13..0e376e1c 100755
--- a/Mailman/Defaults.py.in
+++ b/Mailman/Defaults.py.in
@@ -131,12 +131,12 @@ SUBSCRIBE_FORM_SECRET = None
 # test.
 SUBSCRIBE_FORM_MIN_TIME = seconds(5)
 
-# Installation wide ban list.  This is a list, one entry per line, of email
-# addresses and regexp patterns (beginning with ^) which are not allowed to
-# subscribe to any lists in the installation.  This supplements the individual
-# list's ban_list. For example, to ban xxx@aol.com and any @gmail.com address
-# beginning with yyy, set
-# GLOBAL_BAN_LIST = ['xxx@aol.com', '^yyy.*@gmail.com']
+# Installation wide ban list.  This is a list of email addresses and regexp
+# patterns (beginning with ^) which are not allowed to subscribe to any lists
+# in the installation.  This supplements the individual list's ban_list.
+# For example, to ban xxx@aol.com and any @gmail.com address beginning with
+# yyy, set
+# GLOBAL_BAN_LIST = ['xxx@aol.com', '^yyy.*@gmail\.com']
 GLOBAL_BAN_LIST = []
 
 # Command that is used to convert text/html parts into plain text.  This
diff --git a/Mailman/Handlers/CookHeaders.py b/Mailman/Handlers/CookHeaders.py
index 25fda890..63e630cb 100755
--- a/Mailman/Handlers/CookHeaders.py
+++ b/Mailman/Handlers/CookHeaders.py
@@ -380,7 +380,13 @@ def prefix_subject(mlist, msg, msgdata):
     else:
         old_style = mm_cfg.OLD_STYLE_PREFIXING
     subject = re.sub(prefix_pattern, '', subject)
-    rematch = re.match('((RE|AW|SV|VS)\s*(\[\d+\])?\s*:\s*)+', subject, re.I)
+    # Previously the following re didn't have the first \s*. It would fail
+    # if the incoming Subject: was like '[prefix] Re: Re: Re:' because of the
+    # leading space after stripping the prefix. It is not known what MUA would
+    # create such a Subject:, but the issue was reported.
+    rematch = re.match(
+                       '(\s*(RE|AW|SV|VS)\s*(\[\d+\])?\s*:\s*)+',
+                        subject, re.I)
     if rematch:
         subject = subject[rematch.end():]
         recolon = 'Re:'
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index fe513c8e..f22e45b4 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -234,6 +234,14 @@ _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
 
 def ValidateEmail(s):
     """Verify that an email address isn't grossly evil."""
+    # If a user submits a form or URL with post data or query fragments
+    # with multiple occurrences of the same variable, we can get a list
+    # here.  Be as careful as possible.
+    if isinstance(s, list) or isinstance(s, tuple):
+        if len(s) == 0:
+            s = ''
+        else:
+            s = s[-1]
     # Pretty minimal, cheesy check.  We could do better...
     if not s or s.count(' ') > 0:
         raise Errors.MMBadEmailError
@@ -454,6 +462,14 @@ def check_global_password(response, siteadmin=True):
 
 _ampre = re.compile('&amp;((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
 def websafe(s):
+    # If a user submits a form or URL with post data or query fragments
+    # with multiple occurrences of the same variable, we can get a list
+    # here.  Be as careful as possible.
+    if isinstance(s, list) or isinstance(s, tuple):
+        if len(s) == 0:
+            s = ''
+        else:
+            s = s[-1]
     if mm_cfg.BROKEN_BROWSER_WORKAROUND:
         # Archiver can pass unicode here. Just skip them as the
         # archiver escapes non-ascii anyway.
diff --git a/NEWS b/NEWS
index e01d76df..1fda1cf9 100755
--- a/NEWS
+++ b/NEWS
@@ -15,11 +15,21 @@ Here is a history of user visible changes to Mailman.
 
   i18n
 
+    - The German translation has been updated by Mirian Margiani.
+
     - The Brazilian Portugese translation has been updated by Emerson Ribeiro
       de Mello.
 
   Bug fixes and other patches
 
+    - Subject prefixing could fail to collapse multiple 'Re:' in an incomming
+      message if they all came after the list's subject_prefix.  This is now
+      fixed.  (LP: #1496620)
+
+    - Defended against a user submitting URLs with query fragments or POST
+      data containing multiple occurrences of the same variable.
+      (LP: #1496632)
+
     - Fixed bin/mailmanctl to check its effective rather than real uid.
       (LP: #1491187)