From 6968ea49785c35af0acedb38917e3a9bd013b0a9 Mon Sep 17 00:00:00 2001 From: bwarsaw <> Date: Sun, 28 Sep 2003 16:04:06 +0000 Subject: process_request(), request_creation(): Close cross-site scripting exploits found by Ned Dawes. Also, whitespace normalization. Backported from HEAD. --- Mailman/Cgi/create.py | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) (limited to 'Mailman/Cgi') diff --git a/Mailman/Cgi/create.py b/Mailman/Cgi/create.py index 31e16269..79df14a5 100644 --- a/Mailman/Cgi/create.py +++ b/Mailman/Cgi/create.py @@ -1,17 +1,17 @@ -# Copyright (C) 2001,2002 by the Free Software Foundation, Inc. +# Copyright (C) 2001-2003 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. -# +# # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. -# +# # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software +# along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. """Create mailing lists through the web.""" @@ -87,7 +87,7 @@ def process_request(doc, cgidata): moderate = int(cgidata.getvalue('moderate', '0')) except ValueError: moderate = mm_cfg.DEFAULT_DEFAULT_MEMBER_MODERATION - + password = cgidata.getvalue('password', '').strip() confirm = cgidata.getvalue('confirm', '').strip() auth = cgidata.getvalue('auth', '').strip() @@ -96,15 +96,17 @@ def process_request(doc, cgidata): if type(langs) <> ListType: langs = [langs] # Sanity check + safelistname = Utils.websafe(listname) if '@' in listname: request_creation(doc, cgidata, - _('List name must not include "@": %(listname)s')) + _('List name must not include "@": %(safelistname)s')) return if Utils.list_exists(listname): # BAW: should we tell them the list already exists? This could be # used to mine/guess the existance of non-advertised lists. Then # again, that can be done in other ways already, so oh well. - request_creation(doc, cgidata, _('List already exists: %(listname)s')) + request_creation(doc, cgidata, + _('List already exists: %(safelistname)s')) return if not listname: request_creation(doc, cgidata, @@ -194,7 +196,7 @@ def process_request(doc, cgidata): _('''Some unknown error occurred while creating the list. Please contact the site administrator for assistance.''')) return - + # Initialize the host_name and web_page_url attributes, based on # virtual hosting settings and the request environment variables. hostname = Utils.get_domain() @@ -222,8 +224,8 @@ def process_request(doc, cgidata): text = Utils.maketext( 'newlist.txt', {'listname' : listname, - 'password' : password, - 'admin_url' : mlist.GetScriptURL('admin', absolute=1), + 'password' : password, + 'admin_url' : mlist.GetScriptURL('admin', absolute=1), 'listinfo_url': mlist.GetScriptURL('listinfo', absolute=1), 'requestaddr' : mlist.GetRequestEmail(), 'siteowner' : siteadmin, @@ -309,13 +311,15 @@ def request_creation(doc, cgidata=dummy, errmsg=None): ftable.AddRow([Center(Italic(_('List Identity')))]) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2) + safelistname = Utils.websafe(cgidata.getvalue('listname', '')) ftable.AddRow([Label(_('Name of list:')), - TextBox('listname', cgidata.getvalue('listname', ''))]) + TextBox('listname', safelistname)]) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) + safeowner = Utils.websafe(cgidata.getvalue('owner', '')) ftable.AddRow([Label(_('Initial list owner address:')), - TextBox('owner', cgidata.getvalue('owner', ''))]) + TextBox('owner', safeowner)]) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) @@ -330,13 +334,15 @@ def request_creation(doc, cgidata=dummy, errmsg=None): ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) + safepasswd = Utils.websafe(cgidata.getvalue('password', '')) ftable.AddRow([Label(_('Initial list password:')), - PasswordBox('password', cgidata.getvalue('password', ''))]) + PasswordBox('password', safepasswd)]) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) + safeconfirm = Utils.websafe(cgidata.getvalue('confirm', '')) ftable.AddRow([Label(_('Confirm initial password:')), - PasswordBox('confirm', cgidata.getvalue('confirm', ''))]) + PasswordBox('confirm', safeconfirm)]) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY) ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY) -- cgit v1.2.3