From 0cee915eeb5f8f99ed036d257b1103c28373eb5b Mon Sep 17 00:00:00 2001
From: bwarsaw <>
Date: Wed, 30 Aug 2006 14:54:22 +0000
Subject: CVE-2006-3636. Fixes for various cross-site scripting issues.
Discovery by Moritz Naumann and most of the repair work done by Mark Sapiro
(with some additional work by Barry).
---
Mailman/Cgi/admin.py | 15 ++++++++-------
Mailman/Cgi/admindb.py | 6 +++---
Mailman/Cgi/create.py | 25 ++++++++++++++++++-------
Mailman/Cgi/edithtml.py | 3 ++-
Mailman/Cgi/options.py | 4 ++--
Mailman/Gui/General.py | 9 +++++----
Mailman/HTMLFormatter.py | 11 ++++++++---
Mailman/Utils.py | 2 +-
Mailman/htmlformat.py | 17 +++++++++++++----
9 files changed, 60 insertions(+), 32 deletions(-)
(limited to 'Mailman')
diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py
index 8434c817..f70a0721 100644
--- a/Mailman/Cgi/admin.py
+++ b/Mailman/Cgi/admin.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -1318,6 +1318,7 @@ def change_options(mlist, category, subcat, cgidata, doc):
# we display. Try uploading a file with 10k names -- it takes a while
# to render the status page.
for entry in entries:
+ safeentry = Utils.websafe(entry)
fullname, address = parseaddr(entry)
# Canonicalize the full name
fullname = Utils.canonstr(fullname, mlist.preferred_language)
@@ -1335,20 +1336,20 @@ def change_options(mlist, category, subcat, cgidata, doc):
send_admin_notif, invitation,
whence='admin mass sub')
except Errors.MMAlreadyAMember:
- subscribe_errors.append((entry, _('Already a member')))
+ subscribe_errors.append((safeentry, _('Already a member')))
except Errors.MMBadEmailError:
if userdesc.address == '':
subscribe_errors.append((_('<blank line>'),
_('Bad/Invalid email address')))
else:
- subscribe_errors.append((entry,
+ subscribe_errors.append((safeentry,
_('Bad/Invalid email address')))
except Errors.MMHostileAddress:
subscribe_errors.append(
- (entry, _('Hostile address (illegal characters)')))
+ (safeentry, _('Hostile address (illegal characters)')))
except Errors.MembershipIsBanned, pattern:
subscribe_errors.append(
- (entry, _('Banned address (matched %(pattern)s)')))
+ (safeentry, _('Banned address (matched %(pattern)s)')))
else:
member = Utils.uncanonstr(formataddr((fullname, address)))
subscribe_success.append(Utils.websafe(member))
@@ -1388,9 +1389,9 @@ def change_options(mlist, category, subcat, cgidata, doc):
addr, whence='admin mass unsub',
admin_notif=send_unsub_notifications,
userack=userack)
- unsubscribe_success.append(addr)
+ unsubscribe_success.append(Utils.websafe(addr))
except Errors.NotAMemberError:
- unsubscribe_errors.append(addr)
+ unsubscribe_errors.append(Utils.websafe(addr))
if unsubscribe_success:
doc.AddItem(Header(5, _('Successfully Unsubscribed:')))
doc.AddItem(UnorderedList(*unsubscribe_success))
diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py
index 7f42c8ac..f36daae0 100644
--- a/Mailman/Cgi/admindb.py
+++ b/Mailman/Cgi/admindb.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -313,7 +313,7 @@ def show_pending_subs(mlist, form):
' ' + _('Permanently ban from this list')
# While the address may be a unicode, it must be ascii
paddr = addr.encode('us-ascii', 'replace')
- table.AddRow(['%s %s' % (paddr, fullname),
+ table.AddRow(['%s %s' % (paddr, Utils.websafe(fullname)),
radio,
TextBox('comment-%d' % id, size=40)
])
@@ -357,7 +357,7 @@ def show_pending_unsubs(mlist, form):
mlist.HandleRequest(id, mm_cfg.DISCARD)
continue
num += 1
- table.AddRow(['%s %s' % (addr, fullname),
+ table.AddRow(['%s %s' % (addr, Utils.websafe(fullname)),
RadioButtonArray(id, (_('Defer'),
_('Approve'),
_('Reject'),
diff --git a/Mailman/Cgi/create.py b/Mailman/Cgi/create.py
index 603a78e7..50f06070 100644
--- a/Mailman/Cgi/create.py
+++ b/Mailman/Cgi/create.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -190,15 +190,24 @@ def process_request(doc, cgidata):
mlist.Create(listname, owner, pw, langs, emailhost)
finally:
os.umask(oldmask)
- except Errors.EmailAddressError, s:
+ except Errors.EmailAddressError, e:
+ if e.args:
+ s = Utils.websafe(e.args[0])
+ else:
+ s = Utils.websafe(owner)
request_creation(doc, cgidata,
_('Bad owner email address: %(s)s'))
return
except Errors.MMListAlreadyExistsError:
+ # MAS: List already exists so we don't need to websafe it.
request_creation(doc, cgidata,
_('List already exists: %(listname)s'))
return
- except Errors.BadListNameError, s:
+ except Errors.BadListNameError, e:
+ if e.args:
+ s = Utils.websafe(e.args[0])
+ else:
+ s = Utils.websafe(listname)
request_creation(doc, cgidata,
_('Illegal list name: %(s)s'))
return
@@ -321,15 +330,17 @@ def request_creation(doc, cgidata=dummy, errmsg=None):
ftable.AddRow([Center(Italic(_('List Identity')))])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2)
- safelistname = Utils.websafe(cgidata.getvalue('listname', ''))
+ listname = cgidata.getvalue('listname', '')
+ # MAS: Don't websafe twice. TextBox does it.
ftable.AddRow([Label(_('Name of list:')),
- TextBox('listname', safelistname)])
+ TextBox('listname', listname)])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
- safeowner = Utils.websafe(cgidata.getvalue('owner', ''))
+ owner = cgidata.getvalue('owner', '')
+ # MAS: Don't websafe twice. TextBox does it.
ftable.AddRow([Label(_('Initial list owner address:')),
- TextBox('owner', safeowner)])
+ TextBox('owner', owner)])
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
diff --git a/Mailman/Cgi/edithtml.py b/Mailman/Cgi/edithtml.py
index 9ec54cef..b5967b34 100644
--- a/Mailman/Cgi/edithtml.py
+++ b/Mailman/Cgi/edithtml.py
@@ -143,7 +143,8 @@ def FormatHTML(mlist, doc, template_name, template_info):
doc.AddItem('
')
doc.AddItem('
')
form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name)
- text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist))
+ text = Utils.maketext(template_name, raw=1, mlist=mlist)
+ # MAS: Don't websafe twice. TextArea does it.
form.AddItem(TextArea('html_code', text, rows=40, cols=75))
form.AddItem('
' + _('When you are done making changes...'))
form.AddItem(SubmitButton('submit', _('Submit Changes')))
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index eb7adb67..d423f262 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -702,7 +702,7 @@ def options_page(mlist, doc, user, cpuser, userlang, message=''):
fullname = Utils.uncanonstr(mlist.getMemberName(user), userlang)
if fullname:
- presentable_user += ', %s' % fullname
+ presentable_user += ', %s' % Utils.websafe(fullname)
# Do replacements
replacements = mlist.GetStandardReplacements(userlang)
diff --git a/Mailman/Gui/General.py b/Mailman/Gui/General.py
index 487e7e0d..6b03fd2c 100644
--- a/Mailman/Gui/General.py
+++ b/Mailman/Gui/General.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
+# USA.
"""MailList mixin class managing the general options."""
@@ -439,13 +440,13 @@ class General(GUIBase):
GUIBase._setValue(self, mlist, property, val, doc)
def _escape(self, property, value):
- # The 'info' property allows HTML, but lets sanitize it to avoid XSS
+ # The 'info' property allows HTML, but let's sanitize it to avoid XSS
# exploits. Everything else should be fully escaped.
if property <> 'info':
return GUIBase._escape(self, property, value)
# Sanitize tags but nothing else. Not the best
# solution, but expedient.
- return re.sub(r'<([/]?script.*?)>', r'<\1>', value)
+ return re.sub(r'(?i)<([/]?script.*?)>', r'<\1>', value)
def _postValidate(self, mlist, doc):
if not mlist.reply_to_address.strip() and \
diff --git a/Mailman/HTMLFormatter.py b/Mailman/HTMLFormatter.py
index e6afda9b..99ed96da 100644
--- a/Mailman/HTMLFormatter.py
+++ b/Mailman/HTMLFormatter.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
+# USA.
"""Routines for presentation of list-specific HTML text."""
@@ -332,8 +333,12 @@ class HTMLFormatter:
return ''
def FormatBox(self, name, size=20, value=''):
+ if isinstance(value, str):
+ safevalue = Utils.websafe(value)
+ else:
+ safevalue = value
return '' % (
- name, size, value)
+ name, size, safevalue)
def FormatSecureBox(self, name):
return '' % name
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 5c9707c7..10a589fd 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -205,7 +205,7 @@ def LCDomain(addr):
_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
def ValidateEmail(s):
- """Verify that the an email address isn't grossly evil."""
+ """Verify that an email address isn't grossly evil."""
# Pretty minimal, cheesy check. We could do better...
if not s or s.count(' ') > 0:
raise Errors.MMBadEmailError
diff --git a/Mailman/htmlformat.py b/Mailman/htmlformat.py
index 1fe44d88..1a0bd22d 100644
--- a/Mailman/htmlformat.py
+++ b/Mailman/htmlformat.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
+# USA.
"""Library for program-based construction of an HTML documents.
@@ -448,7 +449,11 @@ class PasswordBox(InputObj):
class TextBox(InputObj):
def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH):
- InputObj.__init__(self, name, "TEXT", value, checked=0, size=size)
+ if isinstance(value, str):
+ safevalue = Utils.websafe(value)
+ else:
+ safevalue = value
+ InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size)
class Hidden(InputObj):
def __init__(self, name, value=''):
@@ -457,8 +462,12 @@ class Hidden(InputObj):
class TextArea:
def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
readonly=0):
+ if isinstance(text, str):
+ safetext = Utils.websafe(text)
+ else:
+ safetext = text
self.name = name
- self.text = text
+ self.text = safetext
self.rows = rows
self.cols = cols
self.wrap = wrap
--
cgit v1.2.3