From f2d4b816b39a77c32562dc8a23b1fcd0e61cc869 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Thu, 30 Mar 2017 12:20:45 -0700
Subject: Fixed unexploitable XSS attach via crafted HTTP Host: header.

---
 Mailman/Utils.py | 2 +-
 NEWS             | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 7bae2e6e..739def1d 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -759,7 +759,7 @@ def get_domain():
     if port and host.endswith(':' + port):
         host = host[:-len(port)-1]
     if mm_cfg.VIRTUAL_HOST_OVERVIEW and host:
-        return host.lower()
+        return websafe(host.lower())
     else:
         # See the note in Defaults.py concerning DEFAULT_URL
         # vs. DEFAULT_URL_HOST.
diff --git a/NEWS b/NEWS
index eaa202a1..083f4027 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,12 @@ Here is a history of user visible changes to Mailman.
 
 2.1.24 (xx-xxx-xxxx)
 
+  Security
+
+    - A most likely unexploitable XSS attach that relies on the Mailman web
+      server passing a crafted Host: header to the CGI environment has been
+      fixed.  Apache for one is not vulnerable.  Thanks to Alqnas Eslam.
+
   New Features
 
     - cron/senddigests has a new -e/--exceptlist option to send pending
-- 
cgit v1.2.3