From d42ff460f48550f01b7cf97935df4bcdfb829373 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Fri, 1 Mar 2019 18:24:14 -0800 Subject: Implement MAX_LISTNAME_LENGTH to avoid calculating on each web access. --- Mailman/Defaults.py.in | 9 +++++++++ Mailman/Utils.py | 13 +++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) (limited to 'Mailman') diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index 5e158e5b..fabd95bd 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -166,6 +166,15 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s' # character that doesn't match this class. Do not include '/' in this list. ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' +# The number of characters in the longest listname in the installation. The +# fix for LP: #1780874 truncates list names in web URLs to this length to avoid +# a content spoofing vulnerability. If this is left at its default value of +# 0, the length of the longest listname is calculated on every web access. +# This can have performance implications in installations with a very large +# number of lists. To use this feature to avoid the calculation, set this to +# a number equal to the length of the longest expected valid list name. +MAX_LISTNAME_LENGTH = 0 + # Shall the user's real names be displayed along with their email addresses # in list rosters? Defaults to No to preserve prior behavior. ROSTER_DISPLAY_REALNAME = No diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 47e4e5cc..10629fc4 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -292,11 +292,16 @@ def GetPathPieces(envar='PATH_INFO'): remote) # Check for listname injections that won't be websafed. pieces = [p for p in path.split('/') if p] - # Get the longest listname or 20 if none. - if list_names(): - longest = max([len(x) for x in list_names()]) + # Get the longest listname or 20 if none or use MAX_LISTNAME_LENGTH if + # provided > 0. + if mm_cfg.MAX_LISTNAME_LENGTH > 0: + longest = mm_cfg.MAX_LISTNAME_LENGTH else: - longest = 20 + lst_names = list_names() + if lst_names: + longest = max([len(x) for x in lst_names]) + else: + longest = 20 if pieces and len(pieces[0]) > longest: syslog('mischief', 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) -- cgit v1.2.3