diff options
-rw-r--r-- | Mailman/Defaults.py.in | 5 | ||||
-rw-r--r-- | Mailman/MTA/Utils.py | 11 | ||||
-rw-r--r-- | Mailman/MailList.py | 6 | ||||
-rw-r--r-- | Mailman/Version.py | 6 | ||||
-rw-r--r-- | NEWS | 10 |
5 files changed, 31 insertions, 7 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 545eb6fe..fcf474a5 100644 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -109,6 +109,11 @@ ALLOW_SITE_ADMIN_COOKIES = No # name of the temporary file that the program should operate on. HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' +# A Python regular expression character class which defines the characters +# allowed in list names. Lists cannot be created with names containing any +# character that doesn't match this class. +ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' + ##### diff --git a/Mailman/MTA/Utils.py b/Mailman/MTA/Utils.py index 14562de6..07d8bcad 100644 --- a/Mailman/MTA/Utils.py +++ b/Mailman/MTA/Utils.py @@ -1,4 +1,4 @@ -# Copyright (C) 2001,2002 by the Free Software Foundation, Inc. +# Copyright (C) 2001-2008 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -17,6 +17,7 @@ """Utilities for list creation/deletion hooks.""" import os +import re import pwd from Mailman import mm_cfg @@ -45,13 +46,17 @@ def _makealiases_mailprog(listname): # backwards compatibility and may eventually go away (we really have no # need for the -admin address anymore). # + # We escape a few special characters in the list name in the pipe command + # to avoid characters that might split the pipe into two commands. + safename = re.sub('([;|&`$])', r'\\\1', listname) + # # Seed this with the special cases. - aliases = [(listname, '"|%s post %s"' % (wrapper, listname)), + aliases = [(listname, '"|%s post %s"' % (wrapper, safename)), ] for ext in ('admin', 'bounces', 'confirm', 'join', 'leave', 'owner', 'request', 'subscribe', 'unsubscribe'): aliases.append(('%s-%s' % (listname, ext), - '"|%s %s %s"' % (wrapper, ext, listname))) + '"|%s %s %s"' % (wrapper, ext, safename))) return aliases diff --git a/Mailman/MailList.py b/Mailman/MailList.py index 7cd2c5cb..ac2d1baf 100644 --- a/Mailman/MailList.py +++ b/Mailman/MailList.py @@ -475,6 +475,12 @@ class MailList(HTMLFormatter, Deliverer, ListAdmin, assert name == name.lower(), 'List name must be all lower case.' if Utils.list_exists(name): raise Errors.MMListAlreadyExistsError, name + # Problems and potential attacks can occur if the list name in the + # pipe to the wrapper in an MTA alias or other delivery process + # contains shell special characters so allow only defined characters + # (default = '[-+_.=a-z0-9]'). + if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', name)) > 0: + raise Errors.BadListNameError, name # Validate what will be the list's posting address. If that's # invalid, we don't want to create the mailing list. The hostname # part doesn't really matter, since that better already be valid. diff --git a/Mailman/Version.py b/Mailman/Version.py index 65738b6b..4a559213 100644 --- a/Mailman/Version.py +++ b/Mailman/Version.py @@ -16,7 +16,7 @@ # USA. # Mailman version -VERSION = '2.1.11rc2' +VERSION = '2.1.11' # And as a hex number in the manner of PY_VERSION_HEX ALPHA = 0xa @@ -29,9 +29,9 @@ FINAL = 0xf MAJOR_REV = 2 MINOR_REV = 1 MICRO_REV = 11 -REL_LEVEL = GAMMA +REL_LEVEL = FINAL # at most 15 beta releases! -REL_SERIAL = 2 +REL_SERIAL = 0 HEX_VERSION = ((MAJOR_REV << 24) | (MINOR_REV << 16) | (MICRO_REV << 8) | (REL_LEVEL << 4) | (REL_SERIAL << 0)) @@ -4,7 +4,7 @@ Copyright (C) 1998-2008 by the Free Software Foundation, Inc. Here is a history of user visible changes to Mailman. -2.1.11rc2 (23-Jun-2008) +2.1.11 (30-Jun-2008) New Features @@ -17,6 +17,14 @@ Here is a history of user visible changes to Mailman. - Prepended list name to bounce log unrecognized bounce messages. + - Added a new Defaults.py|mm_cfg.py setting ACCEPTABLE_LISTNAME_CHARACTERS + with default value '[-+_.=a-z0-9]'. This Python regular expression + character class specifies the characters allowed in list names. The + motivation for this is the fact that previously, a list named, e.g., + xxx&yyy could be created and MTA aliases generated that would cause + The MTA to execute yyy as a command. There is a possible security issue + here, but it is not believed to be exploitable in any meaningful way. + Bug fixes and other patches - Changed the preservation of unparseable messages to be conditional on |