aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xMailman/Defaults.py.in2
-rw-r--r--Mailman/Utils.py6
-rwxr-xr-xNEWS10
3 files changed, 16 insertions, 2 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
index 068a7dab..9e9e93af 100755
--- a/Mailman/Defaults.py.in
+++ b/Mailman/Defaults.py.in
@@ -138,7 +138,7 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s'
# A Python regular expression character class which defines the characters
# allowed in list names. Lists cannot be created with names containing any
-# character that doesn't match this class.
+# character that doesn't match this class. Do not include '/' in this list.
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
# Shall the user's real names be displayed along with their email addresses
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 13c4ed8b..1cd1cdb7 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -100,6 +100,12 @@ def list_exists(listname):
#
# The former two are for 2.1alpha3 and beyond, while the latter two are
# for all earlier versions.
+ #
+ # But first ensure the list name doesn't contain a path traversal
+ # attack.
+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
+ syslog('mischief', 'Hostile listname: %s', listname)
+ return False
basepath = Site.get_listpath(listname)
for ext in ('.pck', '.pck.last', '.db', '.db.last'):
dbfile = os.path.join(basepath, 'config' + ext)
diff --git a/NEWS b/NEWS
index b021f309..94571b4a 100755
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,15 @@ Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
Here is a history of user visible changes to Mailman.
-2.1.20 (xx-xxx-xxxx)
+2.1.20 (31-Mar-2015)
+
+ Security
+
+ - A path traversal vulnerability has been discovered and fixed. This
+ vulnerability is only exploitable by a local user on a Mailman server
+ where the suggested Exim transport, the Postfix postfix_to_mailman.py
+ transport or some other programmatic MTA delivery not using aliases
+ is employed. CVE-2015-2775 (LP: #1437145)
New Features