diff options
Diffstat (limited to 'Mailman')
| -rw-r--r-- | Mailman/Archiver/HyperArch.py | 1 | ||||
| -rw-r--r-- | Mailman/Defaults.py.in | 5 | ||||
| -rw-r--r-- | Mailman/MTA/Utils.py | 11 | ||||
| -rw-r--r-- | Mailman/MailList.py | 6 | ||||
| -rw-r--r-- | Mailman/Version.py | 6 |
5 files changed, 23 insertions, 6 deletions
diff --git a/Mailman/Archiver/HyperArch.py b/Mailman/Archiver/HyperArch.py index 843f1507..d4fc5d9a 100644 --- a/Mailman/Archiver/HyperArch.py +++ b/Mailman/Archiver/HyperArch.py @@ -688,6 +688,7 @@ class HyperArchive(pipermail.T): "archivedate": quotetime(self.archivedate), "listinfo": mlist.GetScriptURL('listinfo', absolute=1), "version": self.version, + "listname": html_quote(mlist.real_name, self.lang), } i = {"thread": _("thread"), "subject": _("subject"), diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 545eb6fe..fcf474a5 100644 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -109,6 +109,11 @@ ALLOW_SITE_ADMIN_COOKIES = No # name of the temporary file that the program should operate on. HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' +# A Python regular expression character class which defines the characters +# allowed in list names. Lists cannot be created with names containing any +# character that doesn't match this class. +ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' + ##### diff --git a/Mailman/MTA/Utils.py b/Mailman/MTA/Utils.py index 14562de6..07d8bcad 100644 --- a/Mailman/MTA/Utils.py +++ b/Mailman/MTA/Utils.py @@ -1,4 +1,4 @@ -# Copyright (C) 2001,2002 by the Free Software Foundation, Inc. +# Copyright (C) 2001-2008 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -17,6 +17,7 @@ """Utilities for list creation/deletion hooks.""" import os +import re import pwd from Mailman import mm_cfg @@ -45,13 +46,17 @@ def _makealiases_mailprog(listname): # backwards compatibility and may eventually go away (we really have no # need for the -admin address anymore). # + # We escape a few special characters in the list name in the pipe command + # to avoid characters that might split the pipe into two commands. + safename = re.sub('([;|&`$])', r'\\\1', listname) + # # Seed this with the special cases. - aliases = [(listname, '"|%s post %s"' % (wrapper, listname)), + aliases = [(listname, '"|%s post %s"' % (wrapper, safename)), ] for ext in ('admin', 'bounces', 'confirm', 'join', 'leave', 'owner', 'request', 'subscribe', 'unsubscribe'): aliases.append(('%s-%s' % (listname, ext), - '"|%s %s %s"' % (wrapper, ext, listname))) + '"|%s %s %s"' % (wrapper, ext, safename))) return aliases diff --git a/Mailman/MailList.py b/Mailman/MailList.py index 7cd2c5cb..ac2d1baf 100644 --- a/Mailman/MailList.py +++ b/Mailman/MailList.py @@ -475,6 +475,12 @@ class MailList(HTMLFormatter, Deliverer, ListAdmin, assert name == name.lower(), 'List name must be all lower case.' if Utils.list_exists(name): raise Errors.MMListAlreadyExistsError, name + # Problems and potential attacks can occur if the list name in the + # pipe to the wrapper in an MTA alias or other delivery process + # contains shell special characters so allow only defined characters + # (default = '[-+_.=a-z0-9]'). + if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', name)) > 0: + raise Errors.BadListNameError, name # Validate what will be the list's posting address. If that's # invalid, we don't want to create the mailing list. The hostname # part doesn't really matter, since that better already be valid. diff --git a/Mailman/Version.py b/Mailman/Version.py index 65738b6b..4a559213 100644 --- a/Mailman/Version.py +++ b/Mailman/Version.py @@ -16,7 +16,7 @@ # USA. # Mailman version -VERSION = '2.1.11rc2' +VERSION = '2.1.11' # And as a hex number in the manner of PY_VERSION_HEX ALPHA = 0xa @@ -29,9 +29,9 @@ FINAL = 0xf MAJOR_REV = 2 MINOR_REV = 1 MICRO_REV = 11 -REL_LEVEL = GAMMA +REL_LEVEL = FINAL # at most 15 beta releases! -REL_SERIAL = 2 +REL_SERIAL = 0 HEX_VERSION = ((MAJOR_REV << 24) | (MINOR_REV << 16) | (MICRO_REV << 8) | (REL_LEVEL << 4) | (REL_SERIAL << 0)) |