aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-x[-rw-r--r--]Mailman/Handlers/Approve.py19
-rw-r--r--NEWS5
2 files changed, 23 insertions, 1 deletions
diff --git a/Mailman/Handlers/Approve.py b/Mailman/Handlers/Approve.py
index 9567325a..cfd76f46 100644..100755
--- a/Mailman/Handlers/Approve.py
+++ b/Mailman/Handlers/Approve.py
@@ -39,6 +39,16 @@ except NameError:
NL = '\n'
+def _(s):
+ # message is translated when used.
+ return s
+REJECT = _("""Message rejected.
+It appears that this message contains an HTML part with the
+Approved: password line, but due to the way it is coded in the
+HTML it can't be safely removed.
+""")
+del _
+
def process(mlist, msg, msgdata):
@@ -100,7 +110,8 @@ def process(mlist, msg, msgdata):
# text part. We make a pattern from the Approved line and delete
# it from all text/* parts in which we find it. It would be
# better to just iterate forward, but email compatability for pre
- # Python 2.2 returns a list, not a true iterator.
+ # Python 2.2 returns a list, not a true iterator. Also, there
+ # are pathological MUAs that put the HTML part first.
#
# This will process all the multipart/alternative parts in the
# message as well as all other text parts. We shouldn't find the
@@ -111,12 +122,18 @@ def process(mlist, msg, msgdata):
# line of HTML or other fancy text may include additional message
# text. This pattern works with HTML. It may not work with rtf
# or whatever else is possible.
+ #
+ # If we don't find the pattern in the decoded part, but we do
+ # find it after stripping HTML tags, we don't know how to remove
+ # it, so we just reject the post.
pattern = name + ':(\xA0|\s| )*' + re.escape(passwd)
for part in typed_subpart_iterator(msg, 'text'):
if part is not None and part.get_payload() is not None:
lines = part.get_payload(decode=True)
if re.search(pattern, lines):
reset_payload(part, re.sub(pattern, '', lines))
+ elif re.search(pattern, re.sub('(?s)<.*?>', '', lines)):
+ raise Errors.RejectMessage, REJECT
if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListPoster,
mm_cfg.AuthListModerator,
mm_cfg.AuthListAdmin),
diff --git a/NEWS b/NEWS
index 9e18f50c..62c50307 100644
--- a/NEWS
+++ b/NEWS
@@ -71,6 +71,11 @@ Here is a history of user visible changes to Mailman.
Bug Fixes and other patches
+ - The fix for BUG #266220 (sf1181161) has been enhanced so that if there
+ is a pathological HTML part such that the Approved: password text isn't
+ found, but it is found after stripping out HTML tags, the post is
+ rejected with an informative message.
+
- A bug that would cause reset of any new_member_options bits other than
the four displayed as checkboxes on the list admin General Options page
whenever the page was updated or bin/config_list attempted to update