diff options
Diffstat (limited to 'Mailman')
-rw-r--r-- | Mailman/Cgi/options.py | 8 | ||||
-rwxr-xr-x | Mailman/Defaults.py.in | 12 | ||||
-rwxr-xr-x | Mailman/Handlers/CookHeaders.py | 8 | ||||
-rw-r--r-- | Mailman/Utils.py | 16 |
4 files changed, 37 insertions, 7 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index c400e9fb..7b2c70b5 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -129,6 +129,14 @@ def main(): return else: user = Utils.LCDomain(Utils.UnobscureEmail(SLASH.join(parts[1:]))) + # If a user submits a form or URL with post data or query fragments + # with multiple occurrences of the same variable, we can get a list + # here. Be as careful as possible. + if isinstance(user, list) or isinstance(user, tuple): + if len(user) == 0: + user = '' + else: + user = user[-1] # Avoid cross-site scripting attacks safeuser = Utils.websafe(user) diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 3bb9bc13..0e376e1c 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -131,12 +131,12 @@ SUBSCRIBE_FORM_SECRET = None # test. SUBSCRIBE_FORM_MIN_TIME = seconds(5) -# Installation wide ban list. This is a list, one entry per line, of email -# addresses and regexp patterns (beginning with ^) which are not allowed to -# subscribe to any lists in the installation. This supplements the individual -# list's ban_list. For example, to ban xxx@aol.com and any @gmail.com address -# beginning with yyy, set -# GLOBAL_BAN_LIST = ['xxx@aol.com', '^yyy.*@gmail.com'] +# Installation wide ban list. This is a list of email addresses and regexp +# patterns (beginning with ^) which are not allowed to subscribe to any lists +# in the installation. This supplements the individual list's ban_list. +# For example, to ban xxx@aol.com and any @gmail.com address beginning with +# yyy, set +# GLOBAL_BAN_LIST = ['xxx@aol.com', '^yyy.*@gmail\.com'] GLOBAL_BAN_LIST = [] # Command that is used to convert text/html parts into plain text. This diff --git a/Mailman/Handlers/CookHeaders.py b/Mailman/Handlers/CookHeaders.py index 25fda890..63e630cb 100755 --- a/Mailman/Handlers/CookHeaders.py +++ b/Mailman/Handlers/CookHeaders.py @@ -380,7 +380,13 @@ def prefix_subject(mlist, msg, msgdata): else: old_style = mm_cfg.OLD_STYLE_PREFIXING subject = re.sub(prefix_pattern, '', subject) - rematch = re.match('((RE|AW|SV|VS)\s*(\[\d+\])?\s*:\s*)+', subject, re.I) + # Previously the following re didn't have the first \s*. It would fail + # if the incoming Subject: was like '[prefix] Re: Re: Re:' because of the + # leading space after stripping the prefix. It is not known what MUA would + # create such a Subject:, but the issue was reported. + rematch = re.match( + '(\s*(RE|AW|SV|VS)\s*(\[\d+\])?\s*:\s*)+', + subject, re.I) if rematch: subject = subject[rematch.end():] recolon = 'Re:' diff --git a/Mailman/Utils.py b/Mailman/Utils.py index fe513c8e..f22e45b4 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -234,6 +234,14 @@ _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE) def ValidateEmail(s): """Verify that an email address isn't grossly evil.""" + # If a user submits a form or URL with post data or query fragments + # with multiple occurrences of the same variable, we can get a list + # here. Be as careful as possible. + if isinstance(s, list) or isinstance(s, tuple): + if len(s) == 0: + s = '' + else: + s = s[-1] # Pretty minimal, cheesy check. We could do better... if not s or s.count(' ') > 0: raise Errors.MMBadEmailError @@ -454,6 +462,14 @@ def check_global_password(response, siteadmin=True): _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE) def websafe(s): + # If a user submits a form or URL with post data or query fragments + # with multiple occurrences of the same variable, we can get a list + # here. Be as careful as possible. + if isinstance(s, list) or isinstance(s, tuple): + if len(s) == 0: + s = '' + else: + s = s[-1] if mm_cfg.BROKEN_BROWSER_WORKAROUND: # Archiver can pass unicode here. Just skip them as the # archiver escapes non-ascii anyway. |