diff options
Diffstat (limited to 'Mailman')
| -rw-r--r-- | Mailman/Cgi/options.py | 8 | ||||
| -rw-r--r-- | Mailman/Utils.py | 16 |
2 files changed, 24 insertions, 0 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index c400e9fb..7b2c70b5 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -129,6 +129,14 @@ def main(): return else: user = Utils.LCDomain(Utils.UnobscureEmail(SLASH.join(parts[1:]))) + # If a user submits a form or URL with post data or query fragments + # with multiple occurrences of the same variable, we can get a list + # here. Be as careful as possible. + if isinstance(user, list) or isinstance(user, tuple): + if len(user) == 0: + user = '' + else: + user = user[-1] # Avoid cross-site scripting attacks safeuser = Utils.websafe(user) diff --git a/Mailman/Utils.py b/Mailman/Utils.py index fe513c8e..f22e45b4 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -234,6 +234,14 @@ _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE) def ValidateEmail(s): """Verify that an email address isn't grossly evil.""" + # If a user submits a form or URL with post data or query fragments + # with multiple occurrences of the same variable, we can get a list + # here. Be as careful as possible. + if isinstance(s, list) or isinstance(s, tuple): + if len(s) == 0: + s = '' + else: + s = s[-1] # Pretty minimal, cheesy check. We could do better... if not s or s.count(' ') > 0: raise Errors.MMBadEmailError @@ -454,6 +462,14 @@ def check_global_password(response, siteadmin=True): _ampre = re.compile('&((?:#[0-9]+|[a-z]+);)', re.IGNORECASE) def websafe(s): + # If a user submits a form or URL with post data or query fragments + # with multiple occurrences of the same variable, we can get a list + # here. Be as careful as possible. + if isinstance(s, list) or isinstance(s, tuple): + if len(s) == 0: + s = '' + else: + s = s[-1] if mm_cfg.BROKEN_BROWSER_WORKAROUND: # Archiver can pass unicode here. Just skip them as the # archiver escapes non-ascii anyway. |