From 4dc70bbcc0856b2a27d0d6c0a2def51433712e36 Mon Sep 17 00:00:00 2001 From: msapiro <> Date: Fri, 23 Jun 2006 20:03:32 +0000 Subject: - Decorate.py Fixed bug 1507248 by ignoring header/footer characters outside the character set of the list's language. - Utils.py Fixed a security hole which allowed a crafted URI to inject bogus apparent messages into the error log, possibly inducing an admin to visit a phishing site. --- Mailman/Handlers/Decorate.py | 4 ++-- Mailman/Utils.py | 10 ++++++++-- NEWS | 15 +++++++++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/Mailman/Handlers/Decorate.py b/Mailman/Handlers/Decorate.py index 41db3950..d6b20391 100644 --- a/Mailman/Handlers/Decorate.py +++ b/Mailman/Handlers/Decorate.py @@ -95,8 +95,8 @@ def process(mlist, msg, msgdata): # TK: Try to keep the message plain by converting the header/ # footer/oldpayload into unicode and encode with mcset/lcset. # Try to decode qp/base64 also. - uheader = unicode(header, lcset) - ufooter = unicode(footer, lcset) + uheader = unicode(header, lcset, 'ignore') + ufooter = unicode(footer, lcset, 'ignore') try: oldpayload = unicode(msg.get_payload(decode=True), mcset) frontsep = endsep = u'' diff --git a/Mailman/Utils.py b/Mailman/Utils.py index d0eca99a..5218fed8 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -53,6 +53,7 @@ from Mailman import mm_cfg from Mailman import Errors from Mailman import Site from Mailman.SafeDict import SafeDict +from Mailman.Logging.Syslog import syslog try: True, False @@ -219,9 +220,16 @@ def ValidateEmail(s): +# Patterns which may be used to form malicious path to inject a new +# line in the mailman error log. (TK: advisory by Moritz Naumann) +CRNLpat = re.compile(r'[^\x21-\x7e]') + def GetPathPieces(envar='PATH_INFO'): path = os.environ.get(envar) if path: + if CRNLpat.search(path): + path = CRNLpat.split(path)[0] + syslog('error', 'Warning: Possible malformed path attack.') return [p for p in path.split('/') if p] return None @@ -326,7 +334,6 @@ def Secure_MakeRandomPassword(length): # We have no available source of cryptographically # secure random characters. Log an error and fallback # to the user friendly passwords. - from Mailman.Logging.Syslog import syslog syslog('error', 'urandom not available, passwords not secure') return UserFriendly_MakeRandomPassword(length) @@ -541,7 +548,6 @@ def findtext(templatefile, dict=None, raw=False, lang=None, mlist=None): text = sdict.interpolate(utemplate) except (TypeError, ValueError), e: # The template is really screwed up - from Mailman.Logging.Syslog import syslog syslog('error', 'broken template: %s\n%s', filename, e) pass if raw: diff --git a/NEWS b/NEWS index e45b725a..491ff644 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,21 @@ Copyright (C) 1998-2006 by the Free Software Foundation, Inc. Here is a history of user visible changes to Mailman. +2.1.9 (xx-xxx-xxxx) + + Security + + - A malicious user could visit a specially crafted URI and inject an + apparent log message into Mailman's error log which might induce an + unsuspecting administrator to visit a phishing site. This has been + blocked. Thanks to Moritz Naumann for its discovery. + + Bug fixes and other patches + + - Fixed Decorate.py so that characters in message header/footer which + are not in the character set of the list's language are ignored rather + than causing shunted messages (1507248). + 2.1.8 (15-Apr-2006) Security -- cgit v1.2.3