1 files changed, 17 insertions, 5 deletions

diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py
index 6260c973..cb6847af 100644
--- a/Mailman/Cgi/roster.py
+++ b/Mailman/Cgi/roster.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2017 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -57,13 +57,25 @@ def main():
         # Send this with a 404 status.
         print 'Status: 404 Not Found'
         error_page(_('No such list <em>%(safelistname)s</em>'))
-        syslog('error', 'roster: no such list "%s": %s', listname, e)
+        syslog('error', 'roster: No such list "%s": %s', listname, e)
         return
 
     cgidata = cgi.FieldStorage()
 
     # messages in form should go in selected language (if any...)
-    lang = cgidata.getvalue('language')
+    try:
+        lang = cgidata.getvalue('language')
+    except TypeError:
+        # Someone crafted a POST with a bad Content-Type:.
+        doc = Document()
+        doc.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+        doc.AddItem(Header(2, _("Error")))
+        doc.AddItem(Bold(_('Invalid options to CGI script.')))
+        # Send this with a 400 status.
+        print 'Status: 400 Bad Request'
+        print doc.Format()
+        return
+
     if not Utils.IsLanguage(lang):
         lang = mlist.preferred_language
     i18n.set_language(lang)
@@ -129,8 +141,8 @@ def error_page(errmsg):
     print doc.Format()
 
 
-def error_page_doc(doc, errmsg, *args):
+def error_page_doc(doc, errmsg):
     # Produce a simple error-message page on stdout and exit.
     doc.SetTitle(_("Error"))
     doc.AddItem(Header(2, _("Error")))
-    doc.AddItem(Bold(errmsg % args))
+    doc.AddItem(Bold(errmsg))