From f653b2a70e36bccd6128c4f4b973e09ea898e2cf Mon Sep 17 00:00:00 2001
From: Mark Sapiro <msapiro@value.net>
Date: Thu, 9 Sep 2010 08:16:57 -0700
Subject: Two potential XSS vulnerabilities have been identified and fixed.

---
 Mailman/Cgi/listinfo.py  |   4 +-
 Mailman/HTMLFormatter.py |   7 +-
 Mailman/Utils.py         | 187 ++++++++++++++++++++++++-----------------------
 3 files changed, 100 insertions(+), 98 deletions(-)

(limited to 'Mailman')

diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index 22ab9d5f..8aaae14c 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2009 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -97,7 +97,7 @@ def listinfo_overview(msg=''):
             else:
                 advertised.append((mlist.GetScriptURL('listinfo'),
                                    mlist.real_name,
-                                   mlist.description))
+                                   Utils.websafe(mlist.description)))
     if msg:
         greeting = FontAttr(msg, color="ff5060", size="+1")
     else:
diff --git a/Mailman/HTMLFormatter.py b/Mailman/HTMLFormatter.py
index 3a21d961..dad51e74 100644
--- a/Mailman/HTMLFormatter.py
+++ b/Mailman/HTMLFormatter.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -383,8 +383,9 @@ class HTMLFormatter:
             '<mm-mailman-footer>' : self.GetMailmanFooter(),
             '<mm-list-name>' : self.real_name,
             '<mm-email-user>' : self._internal_name,
-            '<mm-list-description>' : self.description,
-            '<mm-list-info>' : BR.join(self.info.split(NL)),
+            '<mm-list-description>' : Utils.websafe(self.description),
+            '<mm-list-info>' : 
+                '<!---->' + BR.join(self.info.split(NL)) + '<!---->',
             '<mm-form-end>'  : self.FormatFormEnd(),
             '<mm-archive>'   : self.FormatArchiveAnchor(),
             '</mm-archive>'  : '</a>',
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 5cba077e..d5babc14 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2009 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -911,99 +911,100 @@ _badwords = [
     # Kludge to allow the specific tag that's in the options.html template.
     '<link(?! rel="SHORTCUT ICON" href="<mm-favicon>">)',
     '<meta',
+    '<object',
     '<script',
-    r'(?:^|\W)j(?:ava)?script(?:\W|$)',
-    r'(?:^|\W)vbs(?:cript)?(?:\W|$)',
-    r'(?:^|\W)domactivate(?:\W|$)',
-    r'(?:^|\W)domattrmodified(?:\W|$)',
-    r'(?:^|\W)domcharacterdatamodified(?:\W|$)',
-    r'(?:^|\W)domfocus(?:in|out)(?:\W|$)',
-    r'(?:^|\W)dommenuitem(?:in)?active(?:\W|$)',
-    r'(?:^|\W)dommousescroll(?:\W|$)',
-    r'(?:^|\W)domnodeinserted(?:intodocument)?(?:\W|$)',
-    r'(?:^|\W)domnoderemoved(?:fromdocument)?(?:\W|$)',
-    r'(?:^|\W)domsubtreemodified(?:\W|$)',
-    r'(?:^|\W)fscommand(?:\W|$)',
-    r'(?:^|\W)onabort(?:\W|$)',
-    r'(?:^|\W)on(?:de)?activate(?:\W|$)',
-    r'(?:^|\W)on(?:after|before)print(?:\W|$)',
-    r'(?:^|\W)on(?:after|before)update(?:\W|$)',
-    r'(?:^|\W)onbefore(?:(?:de)?activate|copy|cut|editfocus|paste)(?:\W|$)',
-    r'(?:^|\W)onbeforeunload(?:\W|$)',
-    r'(?:^|\W)onbegin(?:\W|$)',
-    r'(?:^|\W)onblur(?:\W|$)',
-    r'(?:^|\W)onbounce(?:\W|$)',
-    r'(?:^|\W)onbroadcast(?:\W|$)',
-    r'(?:^|\W)on(?:cell)?change(?:\W|$)',
-    r'(?:^|\W)oncheckboxstatechange(?:\W|$)',
-    r'(?:^|\W)on(?:dbl)?click(?:\W|$)',
-    r'(?:^|\W)onclose(?:\W|$)',
-    r'(?:^|\W)oncommand(?:update)?(?:\W|$)',
-    r'(?:^|\W)oncomposition(?:end|start)(?:\W|$)',
-    r'(?:^|\W)oncontextmenu(?:\W|$)',
-    r'(?:^|\W)oncontrolselect(?:\W|$)',
-    r'(?:^|\W)oncopy(?:\W|$)',
-    r'(?:^|\W)oncut(?:\W|$)',
-    r'(?:^|\W)ondataavailable(?:\W|$)',
-    r'(?:^|\W)ondataset(?:changed|complete)(?:\W|$)',
-    r'(?:^|\W)ondrag(?:drop|end|enter|exit|gesture|leave|over)?(?:\W|$)',
-    r'(?:^|\W)ondragstart(?:\W|$)',
-    r'(?:^|\W)ondrop(?:\W|$)',
-    r'(?:^|\W)onend(?:\W|$)',
-    r'(?:^|\W)onerror(?:update)?(?:\W|$)',
-    r'(?:^|\W)onfilterchange(?:\W|$)',
-    r'(?:^|\W)onfinish(?:\W|$)',
-    r'(?:^|\W)onfocus(?:in|out)?(?:\W|$)',
-    r'(?:^|\W)onhelp(?:\W|$)',
-    r'(?:^|\W)oninput(?:\W|$)',
-    r'(?:^|\W)onkey(?:up|down|press)(?:\W|$)',
-    r'(?:^|\W)onlayoutcomplete(?:\W|$)',
-    r'(?:^|\W)on(?:un)?load(?:\W|$)',
-    r'(?:^|\W)onlosecapture(?:\W|$)',
-    r'(?:^|\W)onmedia(?:complete|error)(?:\W|$)',
-    r'(?:^|\W)onmouse(?:down|enter|leave|move|out|over|up|wheel)(?:\W|$)',
-    r'(?:^|\W)onmove(?:end|start)?(?:\W|$)',
-    r'(?:^|\W)on(?:off|on)line(?:\W|$)',
-    r'(?:^|\W)onoutofsync(?:\W|$)',
-    r'(?:^|\W)onoverflow(?:changed)?(?:\W|$)',
-    r'(?:^|\W)onpage(?:hide|show)(?:\W|$)',
-    r'(?:^|\W)onpaint(?:\W|$)',
-    r'(?:^|\W)onpaste(?:\W|$)',
-    r'(?:^|\W)onpause(?:\W|$)',
-    r'(?:^|\W)onpopup(?:hidden|hiding|showing|shown)(?:\W|$)',
-    r'(?:^|\W)onprogress(?:\W|$)',
-    r'(?:^|\W)onpropertychange(?:\W|$)',
-    r'(?:^|\W)onradiostatechange(?:\W|$)',
-    r'(?:^|\W)onreadystatechange(?:\W|$)',
-    r'(?:^|\W)onrepeat(?:\W|$)',
-    r'(?:^|\W)onreset(?:\W|$)',
-    r'(?:^|\W)onresize(?:end|start)?(?:\W|$)',
-    r'(?:^|\W)onresume(?:\W|$)',
-    r'(?:^|\W)onreverse(?:\W|$)',
-    r'(?:^|\W)onrow(?:delete|enter|exit|inserted)(?:\W|$)',
-    r'(?:^|\W)onrows(?:delete|enter|inserted)(?:\W|$)',
-    r'(?:^|\W)onscroll(?:\W|$)',
-    r'(?:^|\W)onseek(?:\W|$)',
-    r'(?:^|\W)onselect(?:start)?(?:\W|$)',
-    r'(?:^|\W)onselectionchange(?:\W|$)',
-    r'(?:^|\W)onstart(?:\W|$)',
-    r'(?:^|\W)onstop(?:\W|$)',
-    r'(?:^|\W)onsubmit(?:\W|$)',
-    r'(?:^|\W)onsync(?:from|to)preference(?:\W|$)',
-    r'(?:^|\W)onsyncrestored(?:\W|$)',
-    r'(?:^|\W)ontext(?:\W|$)',
-    r'(?:^|\W)ontimeerror(?:\W|$)',
-    r'(?:^|\W)ontrackchange(?:\W|$)',
-    r'(?:^|\W)onunderflow(?:\W|$)',
-    r'(?:^|\W)onurlflip(?:\W|$)',
-    r'(?:^|\W)seeksegmenttime(?:\W|$)',
-    r'(?:^|\W)svgabort(?:\W|$)',
-    r'(?:^|\W)svgerror(?:\W|$)',
-    r'(?:^|\W)svgload(?:\W|$)',
-    r'(?:^|\W)svgresize(?:\W|$)',
-    r'(?:^|\W)svgscroll(?:\W|$)',
-    r'(?:^|\W)svgunload(?:\W|$)',
-    r'(?:^|\W)svgzoom(?:\W|$)',
+    r'\bj(?:ava)?script\b',
+    r'\bvbs(?:cript)?\b',
+    r'\bdomactivate\b',
+    r'\bdomattrmodified\b',
+    r'\bdomcharacterdatamodified\b',
+    r'\bdomfocus(?:in|out)\b',
+    r'\bdommenuitem(?:in)?active\b',
+    r'\bdommousescroll\b',
+    r'\bdomnodeinserted(?:intodocument)?\b',
+    r'\bdomnoderemoved(?:fromdocument)?\b',
+    r'\bdomsubtreemodified\b',
+    r'\bfscommand\b',
+    r'\bonabort\b',
+    r'\bon(?:de)?activate\b',
+    r'\bon(?:after|before)print\b',
+    r'\bon(?:after|before)update\b',
+    r'\bonbefore(?:(?:de)?activate|copy|cut|editfocus|paste)\b',
+    r'\bonbeforeunload\b',
+    r'\bonbegin\b',
+    r'\bonblur\b',
+    r'\bonbounce\b',
+    r'\bonbroadcast\b',
+    r'\bon(?:cell)?change\b',
+    r'\boncheckboxstatechange\b',
+    r'\bon(?:dbl)?click\b',
+    r'\bonclose\b',
+    r'\boncommand(?:update)?\b',
+    r'\boncomposition(?:end|start)\b',
+    r'\boncontextmenu\b',
+    r'\boncontrolselect\b',
+    r'\boncopy\b',
+    r'\boncut\b',
+    r'\bondataavailable\b',
+    r'\bondataset(?:changed|complete)\b',
+    r'\bondrag(?:drop|end|enter|exit|gesture|leave|over)?\b',
+    r'\bondragstart\b',
+    r'\bondrop\b',
+    r'\bonend\b',
+    r'\bonerror(?:update)?\b',
+    r'\bonfilterchange\b',
+    r'\bonfinish\b',
+    r'\bonfocus(?:in|out)?\b',
+    r'\bonhelp\b',
+    r'\boninput\b',
+    r'\bonkey(?:up|down|press)\b',
+    r'\bonlayoutcomplete\b',
+    r'\bon(?:un)?load\b',
+    r'\bonlosecapture\b',
+    r'\bonmedia(?:complete|error)\b',
+    r'\bonmouse(?:down|enter|leave|move|out|over|up|wheel)\b',
+    r'\bonmove(?:end|start)?\b',
+    r'\bon(?:off|on)line\b',
+    r'\bonoutofsync\b',
+    r'\bonoverflow(?:changed)?\b',
+    r'\bonpage(?:hide|show)\b',
+    r'\bonpaint\b',
+    r'\bonpaste\b',
+    r'\bonpause\b',
+    r'\bonpopup(?:hidden|hiding|showing|shown)\b',
+    r'\bonprogress\b',
+    r'\bonpropertychange\b',
+    r'\bonradiostatechange\b',
+    r'\bonreadystatechange\b',
+    r'\bonrepeat\b',
+    r'\bonreset\b',
+    r'\bonresize(?:end|start)?\b',
+    r'\bonresume\b',
+    r'\bonreverse\b',
+    r'\bonrow(?:delete|enter|exit|inserted)\b',
+    r'\bonrows(?:delete|enter|inserted)\b',
+    r'\bonscroll\b',
+    r'\bonseek\b',
+    r'\bonselect(?:start)?\b',
+    r'\bonselectionchange\b',
+    r'\bonstart\b',
+    r'\bonstop\b',
+    r'\bonsubmit\b',
+    r'\bonsync(?:from|to)preference\b',
+    r'\bonsyncrestored\b',
+    r'\bontext\b',
+    r'\bontimeerror\b',
+    r'\bontrackchange\b',
+    r'\bonunderflow\b',
+    r'\bonurlflip\b',
+    r'\bseeksegmenttime\b',
+    r'\bsvgabort\b',
+    r'\bsvgerror\b',
+    r'\bsvgload\b',
+    r'\bsvgresize\b',
+    r'\bsvgscroll\b',
+    r'\bsvgunload\b',
+    r'\bsvgzoom\b',
     ]
 
 
-- 
cgit v1.2.3