aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xMailman/Defaults.py.in9
-rw-r--r--Mailman/Utils.py13
-rw-r--r--NEWS10
3 files changed, 28 insertions, 4 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
index 5e158e5b..fabd95bd 100755
--- a/Mailman/Defaults.py.in
+++ b/Mailman/Defaults.py.in
@@ -166,6 +166,15 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s'
# character that doesn't match this class. Do not include '/' in this list.
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+# The number of characters in the longest listname in the installation. The
+# fix for LP: #1780874 truncates list names in web URLs to this length to avoid
+# a content spoofing vulnerability. If this is left at its default value of
+# 0, the length of the longest listname is calculated on every web access.
+# This can have performance implications in installations with a very large
+# number of lists. To use this feature to avoid the calculation, set this to
+# a number equal to the length of the longest expected valid list name.
+MAX_LISTNAME_LENGTH = 0
+
# Shall the user's real names be displayed along with their email addresses
# in list rosters? Defaults to No to preserve prior behavior.
ROSTER_DISPLAY_REALNAME = No
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 47e4e5cc..10629fc4 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -292,11 +292,16 @@ def GetPathPieces(envar='PATH_INFO'):
remote)
# Check for listname injections that won't be websafed.
pieces = [p for p in path.split('/') if p]
- # Get the longest listname or 20 if none.
- if list_names():
- longest = max([len(x) for x in list_names()])
+ # Get the longest listname or 20 if none or use MAX_LISTNAME_LENGTH if
+ # provided > 0.
+ if mm_cfg.MAX_LISTNAME_LENGTH > 0:
+ longest = mm_cfg.MAX_LISTNAME_LENGTH
else:
- longest = 20
+ lst_names = list_names()
+ if lst_names:
+ longest = max([len(x) for x in lst_names])
+ else:
+ longest = 20
if pieces and len(pieces[0]) > longest:
syslog('mischief',
'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
diff --git a/NEWS b/NEWS
index cfca39a2..85b15ff2 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,13 @@ Here is a history of user visible changes to Mailman.
From: addresses listed or matching listed regexps. This can be used
to modify mail to addresses that don't accept external mail From:
themselves.
+
+ - There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874
+ obtains a list of the names of all the all the lists in the installation
+ in order to determine the maximum length of a legitimate list name. It
+ does this on every web access and on sites with a very large number of
+ lists, this can have performance implications. See the description in
+ Defaults.py for more information.
Bug Fixes and other patches
@@ -28,6 +35,9 @@ Here is a history of user visible changes to Mailman.
- Corrected and augmented some security log messages. (LP: #1810098)
+ - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All.
+ (LP: #1818205)
+
2.1.29 (24-Jul-2018)
Bug Fixes