diff options
-rwxr-xr-x | Mailman/Defaults.py.in | 9 | ||||
-rw-r--r-- | Mailman/Utils.py | 13 | ||||
-rw-r--r-- | NEWS | 10 |
3 files changed, 28 insertions, 4 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 5e158e5b..fabd95bd 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -166,6 +166,15 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' # character that doesn't match this class. Do not include '/' in this list. ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' +# The number of characters in the longest listname in the installation. The +# fix for LP: #1780874 truncates list names in web URLs to this length to avoid +# a content spoofing vulnerability. If this is left at its default value of +# 0, the length of the longest listname is calculated on every web access. +# This can have performance implications in installations with a very large +# number of lists. To use this feature to avoid the calculation, set this to +# a number equal to the length of the longest expected valid list name. +MAX_LISTNAME_LENGTH = 0 + # Shall the user's real names be displayed along with their email addresses # in list rosters? Defaults to No to preserve prior behavior. ROSTER_DISPLAY_REALNAME = No diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 47e4e5cc..10629fc4 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -292,11 +292,16 @@ def GetPathPieces(envar='PATH_INFO'): remote) # Check for listname injections that won't be websafed. pieces = [p for p in path.split('/') if p] - # Get the longest listname or 20 if none. - if list_names(): - longest = max([len(x) for x in list_names()]) + # Get the longest listname or 20 if none or use MAX_LISTNAME_LENGTH if + # provided > 0. + if mm_cfg.MAX_LISTNAME_LENGTH > 0: + longest = mm_cfg.MAX_LISTNAME_LENGTH else: - longest = 20 + lst_names = list_names() + if lst_names: + longest = max([len(x) for x in lst_names]) + else: + longest = 20 if pieces and len(pieces[0]) > longest: syslog('mischief', 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) @@ -14,6 +14,13 @@ Here is a history of user visible changes to Mailman. From: addresses listed or matching listed regexps. This can be used to modify mail to addresses that don't accept external mail From: themselves. + + - There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874 + obtains a list of the names of all the all the lists in the installation + in order to determine the maximum length of a legitimate list name. It + does this on every web access and on sites with a very large number of + lists, this can have performance implications. See the description in + Defaults.py for more information. Bug Fixes and other patches @@ -28,6 +35,9 @@ Here is a history of user visible changes to Mailman. - Corrected and augmented some security log messages. (LP: #1810098) + - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All. + (LP: #1818205) + 2.1.29 (24-Jul-2018) Bug Fixes |