aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman
diff options
context:
space:
mode:
Diffstat (limited to 'Mailman')
-rw-r--r--Mailman/Cgi/options.py8
-rwxr-xr-xMailman/Defaults.py.in12
-rwxr-xr-xMailman/Handlers/CookHeaders.py8
-rw-r--r--Mailman/Utils.py16
4 files changed, 37 insertions, 7 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index c400e9fb..7b2c70b5 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -129,6 +129,14 @@ def main():
return
else:
user = Utils.LCDomain(Utils.UnobscureEmail(SLASH.join(parts[1:])))
+ # If a user submits a form or URL with post data or query fragments
+ # with multiple occurrences of the same variable, we can get a list
+ # here. Be as careful as possible.
+ if isinstance(user, list) or isinstance(user, tuple):
+ if len(user) == 0:
+ user = ''
+ else:
+ user = user[-1]
# Avoid cross-site scripting attacks
safeuser = Utils.websafe(user)
diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
index 3bb9bc13..0e376e1c 100755
--- a/Mailman/Defaults.py.in
+++ b/Mailman/Defaults.py.in
@@ -131,12 +131,12 @@ SUBSCRIBE_FORM_SECRET = None
# test.
SUBSCRIBE_FORM_MIN_TIME = seconds(5)
-# Installation wide ban list. This is a list, one entry per line, of email
-# addresses and regexp patterns (beginning with ^) which are not allowed to
-# subscribe to any lists in the installation. This supplements the individual
-# list's ban_list. For example, to ban xxx@aol.com and any @gmail.com address
-# beginning with yyy, set
-# GLOBAL_BAN_LIST = ['xxx@aol.com', '^yyy.*@gmail.com']
+# Installation wide ban list. This is a list of email addresses and regexp
+# patterns (beginning with ^) which are not allowed to subscribe to any lists
+# in the installation. This supplements the individual list's ban_list.
+# For example, to ban xxx@aol.com and any @gmail.com address beginning with
+# yyy, set
+# GLOBAL_BAN_LIST = ['xxx@aol.com', '^yyy.*@gmail\.com']
GLOBAL_BAN_LIST = []
# Command that is used to convert text/html parts into plain text. This
diff --git a/Mailman/Handlers/CookHeaders.py b/Mailman/Handlers/CookHeaders.py
index 25fda890..63e630cb 100755
--- a/Mailman/Handlers/CookHeaders.py
+++ b/Mailman/Handlers/CookHeaders.py
@@ -380,7 +380,13 @@ def prefix_subject(mlist, msg, msgdata):
else:
old_style = mm_cfg.OLD_STYLE_PREFIXING
subject = re.sub(prefix_pattern, '', subject)
- rematch = re.match('((RE|AW|SV|VS)\s*(\[\d+\])?\s*:\s*)+', subject, re.I)
+ # Previously the following re didn't have the first \s*. It would fail
+ # if the incoming Subject: was like '[prefix] Re: Re: Re:' because of the
+ # leading space after stripping the prefix. It is not known what MUA would
+ # create such a Subject:, but the issue was reported.
+ rematch = re.match(
+ '(\s*(RE|AW|SV|VS)\s*(\[\d+\])?\s*:\s*)+',
+ subject, re.I)
if rematch:
subject = subject[rematch.end():]
recolon = 'Re:'
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index fe513c8e..f22e45b4 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -234,6 +234,14 @@ _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
def ValidateEmail(s):
"""Verify that an email address isn't grossly evil."""
+ # If a user submits a form or URL with post data or query fragments
+ # with multiple occurrences of the same variable, we can get a list
+ # here. Be as careful as possible.
+ if isinstance(s, list) or isinstance(s, tuple):
+ if len(s) == 0:
+ s = ''
+ else:
+ s = s[-1]
# Pretty minimal, cheesy check. We could do better...
if not s or s.count(' ') > 0:
raise Errors.MMBadEmailError
@@ -454,6 +462,14 @@ def check_global_password(response, siteadmin=True):
_ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE)
def websafe(s):
+ # If a user submits a form or URL with post data or query fragments
+ # with multiple occurrences of the same variable, we can get a list
+ # here. Be as careful as possible.
+ if isinstance(s, list) or isinstance(s, tuple):
+ if len(s) == 0:
+ s = ''
+ else:
+ s = s[-1]
if mm_cfg.BROKEN_BROWSER_WORKAROUND:
# Archiver can pass unicode here. Just skip them as the
# archiver escapes non-ascii anyway.