Re: Mailman vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 15 Nov 2006 00:50:46 -0600, David Eisenstein <deisenst@xxxxxxx> wrote:
> 
> We still need work on the FC3 version of this package:
>    mailman-2.1.5-32.fc3.src.rpm
> in Bugzilla #211676.

This should be easier, as the patches I used from RHEL (attached in this mail) were for mailmail 2.1.5. Maybe they can be applied directly.

--
---------------------------------------------------------
Lic. Martín Marqués         |   SELECT 'mmarques' || 
Centro de Telemática        |       '@' || 'unl.edu.ar';
Universidad Nacional        |   DBA, Programador, 
    del Litoral             |   Administrador
---------------------------------------------------------
--- mailman/Mailman/Handlers/Scrubber.py.orig	2006-06-13 22:05:53.000000000 +0300
+++ mailman/Mailman/Handlers/Scrubber.py	2006-06-13 22:04:24.000000000 +0300
@@ -266,7 +266,11 @@
             finally:
                 os.umask(omask)
             desc = part.get('content-description', _('not available'))
-            filename = part.get_filename(_('not available'))
+            try:
+                filename = part.get_filename(_('not available'))
+            except ValueError:
+                # Hack to deal with filename containing ' character.
+                filename = _('not available')
             del part['content-type']
             del part['content-transfer-encoding']
             part.set_payload(_("""\
@@ -358,8 +362,16 @@
     # e.g. image/jpg (should be image/jpeg).  For now we just store such
     # things as application/octet-streams since that seems the safest.
     ctype = msg.get_content_type()
-    fnext = os.path.splitext(msg.get_filename(''))[1]
-    ext = guess_extension(ctype, fnext)
+    try:
+        fnext = os.path.splitext(msg.get_filename(''))[1]
+    except ValueError:
+        # Catch the case when msg.get_filename('') fails with a
+        # ValueError: need more than 2 values to unpack
+        # File "/usr/lib/python2.4/email/Utils.py", line 222, in decode_rfc2231
+        #   charset, language, s = parts
+        ext = ''
+    else:
+        ext = guess_extension(ctype, fnext)
     if not ext:
         # We don't know what it is, so assume it's just a shapeless
         # application/octet-stream, unless the Content-Type: is
@@ -377,7 +389,11 @@
     try:
         # Now base the filename on what's in the attachment, uniquifying it if
         # necessary.
-        filename = msg.get_filename()
+        try:
+            filename = msg.get_filename()
+        except ValueError:
+            # Another case of catching filenames that contain a ' character.
+            filename = ''
         if not filename:
             filebase = 'attachment'
         else:
--- mailman-2.1.5.1/Mailman/Cgi/admindb.py.CVE-2006-3636	2004-04-30 18:50:42.000000000 +0200
+++ mailman-2.1.5.1/Mailman/Cgi/admindb.py	2006-08-23 12:24:06.000000000 +0200
@@ -310,7 +310,7 @@
                      '&nbsp;' + _('Permanently ban from this list')
         # While the address may be a unicode, it must be ascii
         paddr = addr.encode('us-ascii', 'replace')
-        table.AddRow(['%s<br><em>%s</em>' % (paddr, fullname),
+        table.AddRow(['%s<br><em>%s</em>' % (paddr, Utils.websafe(fullname)),
                       radio,
                       TextBox('comment-%d' % id, size=40)
                       ])
@@ -354,7 +354,7 @@
             mlist.HandleRequest(id, mm_cfg.DISCARD)
             continue
         num += 1
-        table.AddRow(['%s<br><em>%s</em>' % (addr, fullname),
+        table.AddRow(['%s<br><em>%s</em>' % (addr, Utils.websafe(fullname)),
                       RadioButtonArray(id, (_('Defer'),
                                             _('Approve'),
                                             _('Reject'),
--- mailman-2.1.5.1/Mailman/Cgi/create.py.CVE-2006-3636	2004-02-29 18:07:51.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/create.py	2006-08-23 12:24:06.000000000 +0200
@@ -187,15 +187,24 @@
                 mlist.Create(listname, owner, pw, langs, emailhost)
             finally:
                 os.umask(oldmask)
-        except Errors.EmailAddressError, s:
+        except Errors.EmailAddressError, e:
+            if e.args:
+                s = Utils.websafe(e.args[0])
+            else:
+                s = Utils.websafe(owner)
             request_creation(doc, cgidata,
                              _('Bad owner email address: %(s)s'))
             return
         except Errors.MMListAlreadyExistsError:
+            # MAS: List already exists so we don't need to websafe it.
             request_creation(doc, cgidata,
                              _('List already exists: %(listname)s'))
             return
-        except Errors.BadListNameError, s:
+        except Errors.BadListNameError, e:
+            if e.args:
+                s = Utils.websafe(e.args[0])
+            else:
+                s = Utils.websafe(listname)
             request_creation(doc, cgidata,
                              _('Illegal list name: %(s)s'))
             return
@@ -318,15 +327,17 @@
     ftable.AddRow([Center(Italic(_('List Identity')))])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, colspan=2)
 
-    safelistname = Utils.websafe(cgidata.getvalue('listname', ''))
+    listname = cgidata.getvalue('listname', '')
+    # MAS: Don't websafe twice.  TextBox does it.
     ftable.AddRow([Label(_('Name of list:')),
-                   TextBox('listname', safelistname)])
+                   TextBox('listname', listname)])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
-    safeowner = Utils.websafe(cgidata.getvalue('owner', ''))
+    owner = cgidata.getvalue('owner', '')
+    # MAS: Don't websafe twice.  TextBox does it.
     ftable.AddRow([Label(_('Initial list owner address:')),
-                   TextBox('owner', safeowner)])
+                   TextBox('owner', owner)])
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 0, bgcolor=GREY)
     ftable.AddCellInfo(ftable.GetCurrentRowIndex(), 1, bgcolor=GREY)
 
--- mailman-2.1.5.1/Mailman/Cgi/options.py.CVE-2006-3636	2004-02-29 17:45:27.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/options.py	2006-08-23 12:24:06.000000000 +0200
@@ -652,7 +652,7 @@
 
     fullname = Utils.uncanonstr(mlist.getMemberName(user), userlang)
     if fullname:
-        presentable_user += ', %s' % fullname
+        presentable_user += ', %s' % Utils.websafe(fullname)
 
     # Do replacements
     replacements = mlist.GetStandardReplacements(userlang)
--- mailman-2.1.5.1/Mailman/Cgi/edithtml.py.CVE-2006-3636	2002-05-22 05:00:18.000000000 +0200
+++ mailman-2.1.5.1/Mailman/Cgi/edithtml.py	2006-08-23 12:24:06.000000000 +0200
@@ -140,7 +140,8 @@
     doc.AddItem('<p>')
     doc.AddItem('<hr>')
     form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name)
-    text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist))
+    text = Utils.maketext(template_name, raw=1, mlist=mlist)
+    # MAS: Don't websafe twice.  TextArea does it.
     form.AddItem(TextArea('html_code', text, rows=40, cols=75))
     form.AddItem('<p>' + _('When you are done making changes...'))
     form.AddItem(SubmitButton('submit', _('Submit Changes')))
--- mailman-2.1.5.1/Mailman/Cgi/admin.py.CVE-2006-3636	2003-12-24 18:27:45.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Cgi/admin.py	2006-08-23 12:25:48.000000000 +0200
@@ -1319,6 +1319,7 @@
         # we display.  Try uploading a file with 10k names -- it takes a while
         # to render the status page.
         for entry in entries:
+            safeentry = Utils.websafe(entry)
             fullname, address = parseaddr(entry)
             # Canonicalize the full name
             fullname = Utils.canonstr(fullname, mlist.preferred_language)
@@ -1336,17 +1337,17 @@
                                             send_admin_notif, invitation,
                                             whence='admin mass sub')
             except Errors.MMAlreadyAMember:
-                subscribe_errors.append((entry, _('Already a member')))
+                subscribe_errors.append((safeentry, _('Already a member')))
             except Errors.MMBadEmailError:
                 if userdesc.address == '':
                     subscribe_errors.append((_('&lt;blank line&gt;'),
                                              _('Bad/Invalid email address')))
                 else:
-                    subscribe_errors.append((entry,
+                    subscribe_errors.append((safeentry,
                                              _('Bad/Invalid email address')))
             except Errors.MMHostileAddress:
                 subscribe_errors.append(
-                    (entry, _('Hostile address (illegal characters)')))
+                    (safeentry, _('Hostile address (illegal characters)')))
             else:
                 member = Utils.uncanonstr(formataddr((fullname, address)))
                 subscribe_success.append(Utils.websafe(member))
@@ -1386,9 +1387,9 @@
                     addr, whence='admin mass unsub',
                     admin_notif=send_unsub_notifications,
                     userack=userack)
-                unsubscribe_success.append(addr)
+                unsubscribe_success.append(Utils.websafe(addr))
             except Errors.NotAMemberError:
-                unsubscribe_errors.append(addr)
+                unsubscribe_errors.append(Utils.websafe(addr))
         if unsubscribe_success:
             doc.AddItem(Header(5, _('Successfully Unsubscribed:')))
             doc.AddItem(UnorderedList(*unsubscribe_success))
--- mailman-2.1.5.1/Mailman/Utils.py.CVE-2006-3636	2003-12-26 23:50:04.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Utils.py	2006-08-23 12:24:06.000000000 +0200
@@ -201,7 +201,7 @@
 _badchars = re.compile(r'[][()<>|;^,/\200-\377]')
 
 def ValidateEmail(s):
-    """Verify that the an email address isn't grossly evil."""
+    """Verify that an email address isn't grossly evil."""
     # Pretty minimal, cheesy check.  We could do better...
     if not s or s.count(' ') > 0:
         raise Errors.MMBadEmailError
--- mailman-2.1.5.1/Mailman/htmlformat.py.CVE-2006-3636	2003-09-22 04:58:13.000000000 +0200
+++ mailman-2.1.5.1/Mailman/htmlformat.py	2006-08-23 12:24:06.000000000 +0200
@@ -448,7 +448,11 @@
 
 class TextBox(InputObj):
     def __init__(self, name, value='', size=mm_cfg.TEXTFIELDWIDTH):
-        InputObj.__init__(self, name, "TEXT", value, checked=0, size=size)
+        if isinstance(value, str):
+            safevalue = Utils.websafe(value)
+        else:
+            safevalue = value
+        InputObj.__init__(self, name, "TEXT", safevalue, checked=0, size=size)
 
 class Hidden(InputObj):
     def __init__(self, name, value=''):
@@ -457,8 +461,12 @@
 class TextArea:
     def __init__(self, name, text='', rows=None, cols=None, wrap='soft',
                  readonly=0):
+        if isinstance(text, str):
+            safetext = Utils.websafe(text)
+        else:
+            safetext = text
         self.name = name
-        self.text = text
+        self.text = safetext
         self.rows = rows
         self.cols = cols
         self.wrap = wrap
--- mailman-2.1.5.1/Mailman/Gui/General.py.CVE-2006-3636	2004-02-17 20:27:46.000000000 +0100
+++ mailman-2.1.5.1/Mailman/Gui/General.py	2006-08-23 12:24:06.000000000 +0200
@@ -433,13 +433,13 @@
             GUIBase._setValue(self, mlist, property, val, doc)
 
     def _escape(self, property, value):
-        # The 'info' property allows HTML, but lets sanitize it to avoid XSS
+        # The 'info' property allows HTML, but let's sanitize it to avoid XSS
         # exploits.  Everything else should be fully escaped.
         if property <> 'info':
             return GUIBase._escape(self, property, value)
         # Sanitize <script> and </script> tags but nothing else.  Not the best
         # solution, but expedient.
-        return re.sub(r'<([/]?script.*?)>', r'&lt;\1&gt;', value)
+        return re.sub(r'(?i)<([/]?script.*?)>', r'&lt;\1&gt;', value)
 
     def _postValidate(self, mlist, doc):
         if not mlist.reply_to_address.strip() and \
--- mailman-2.1.5.1/Mailman/HTMLFormatter.py.CVE-2006-3636	2003-09-29 17:01:22.000000000 +0200
+++ mailman-2.1.5.1/Mailman/HTMLFormatter.py	2006-08-23 12:24:06.000000000 +0200
@@ -332,8 +332,12 @@
         return '</FORM>'
 
     def FormatBox(self, name, size=20, value=''):
+        if isinstance(value, str):
+            safevalue = Utils.websafe(value)
+        else:
+            safevalue = value
         return '<INPUT type="Text" name="%s" size="%d" value="%s">' % (
-            name, size, value)
+            name, size, safevalue)
 
     def FormatSecureBox(self, name):
         return '<INPUT type="Password" name="%s" size="15">' % name
--
fedora-legacy-list mailing list
fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[Index of Archives]     [Fedora Development]     [Fedora Announce]     [Fedora Legacy Announce]     [Fedora Config]     [PAM]     [Fedora General Discussion]     [Big List of Linux Books]     [Gimp]     [Yosemite Questions]

  Powered by Linux