areguera / rpms / mailman

Forked from rpms/mailman 4 years ago
Clone
Source Code
GIT

Blame SOURCES/mailman-long_text_description.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-2.1 c8-stream-2.1
  1.   7812c94a16460af30357207786c259bc4486bd1c
  2.   SOURCES
  3.   mailman-long_text_description.patch
Blob History Raw
7812c9 
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
7812c9 
index 7cd7f9b..aebc1c9 100644
7812c9 
--- a/Mailman/Utils.py
7812c9 
+++ b/Mailman/Utils.py
7812c9 
@@ -259,10 +259,25 @@ CRNLpat = re.compile(r'[^\x21-\x7e]')
7812c9 
 def GetPathPieces(envar='PATH_INFO'):
7812c9 
     path = os.environ.get(envar)
7812c9 
     if path:
7812c9 
+        remote = os.environ.get('HTTP_FORWARDED_FOR',
7812c9 
+                 os.environ.get('HTTP_X_FORWARDED_FOR',
7812c9 
+                 os.environ.get('REMOTE_ADDR',
7812c9 
+                                'unidentified origin')))
7812c9 
         if CRNLpat.search(path):
7812c9 
             path = CRNLpat.split(path)[0]
7812c9 
             syslog('error', 'Warning: Possible malformed path attack.')
7812c9 
-        return [p for p in path.split('/') if p]
7812c9 
+        # Check for listname injections that won't be websafed.
7812c9 
+        pieces = [p for p in path.split('/') if p]
7812c9 
+        # Get the longest listname or 20 if none.
7812c9 
+        if list_names():
7812c9 
+            longest = max([len(x) for x in list_names()])
7812c9 
+        else:
7812c9 
+            longest = 20
7812c9 
+        if pieces and len(pieces[0]) > longest:
7812c9 
+            syslog('mischief',
7812c9 
+               'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
7812c9 
+            pieces[0] = pieces[0][:longest] + '...'
7812c9 
+        return pieces
7812c9 
     return None
7812c9
7812c9

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation