diff options
Diffstat (limited to '')
-rwxr-xr-x | Mailman/Defaults.py.in | 9 | ||||
-rw-r--r-- | Mailman/Utils.py | 13 |
2 files changed, 18 insertions, 4 deletions
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 5e158e5b..fabd95bd 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -166,6 +166,15 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' # character that doesn't match this class. Do not include '/' in this list. ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' +# The number of characters in the longest listname in the installation. The +# fix for LP: #1780874 truncates list names in web URLs to this length to avoid +# a content spoofing vulnerability. If this is left at its default value of +# 0, the length of the longest listname is calculated on every web access. +# This can have performance implications in installations with a very large +# number of lists. To use this feature to avoid the calculation, set this to +# a number equal to the length of the longest expected valid list name. +MAX_LISTNAME_LENGTH = 0 + # Shall the user's real names be displayed along with their email addresses # in list rosters? Defaults to No to preserve prior behavior. ROSTER_DISPLAY_REALNAME = No diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 47e4e5cc..10629fc4 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -292,11 +292,16 @@ def GetPathPieces(envar='PATH_INFO'): remote) # Check for listname injections that won't be websafed. pieces = [p for p in path.split('/') if p] - # Get the longest listname or 20 if none. - if list_names(): - longest = max([len(x) for x in list_names()]) + # Get the longest listname or 20 if none or use MAX_LISTNAME_LENGTH if + # provided > 0. + if mm_cfg.MAX_LISTNAME_LENGTH > 0: + longest = mm_cfg.MAX_LISTNAME_LENGTH else: - longest = 20 + lst_names = list_names() + if lst_names: + longest = max([len(x) for x in lst_names]) + else: + longest = 20 if pieces and len(pieces[0]) > longest: syslog('mischief', 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) |