From f2d4b816b39a77c32562dc8a23b1fcd0e61cc869 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Thu, 30 Mar 2017 12:20:45 -0700
Subject: Fixed unexploitable XSS attach via crafted HTTP Host: header.

---
 Mailman/Utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Mailman')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 7bae2e6e..739def1d 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -759,7 +759,7 @@ def get_domain():
     if port and host.endswith(':' + port):
         host = host[:-len(port)-1]
     if mm_cfg.VIRTUAL_HOST_OVERVIEW and host:
-        return host.lower()
+        return websafe(host.lower())
     else:
         # See the note in Defaults.py concerning DEFAULT_URL
         # vs. DEFAULT_URL_HOST.
-- 
cgit v1.2.3