Blame SOURCES/mailman-2.1.15-CVE-2015-2775.patch
|
|
49da8b |
=== modified file 'Mailman/Defaults.py.in'
|
|
|
49da8b |
--- a/Mailman/Defaults.py.in 2015-02-13 18:41:28 +0000
|
|
|
49da8b |
+++ b/Mailman/Defaults.py.in 2015-03-27 18:10:39 +0000
|
|
|
49da8b |
@@ -138,7 +138,7 @@
|
|
|
49da8b |
|
|
|
49da8b |
# A Python regular expression character class which defines the characters
|
|
|
49da8b |
# allowed in list names. Lists cannot be created with names containing any
|
|
|
49da8b |
-# character that doesn't match this class.
|
|
|
49da8b |
+# character that doesn't match this class. Do not include '/' in this list.
|
|
|
49da8b |
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
|
|
|
49da8b |
|
|
|
49da8b |
|
|
|
49da8b |
|
|
|
49da8b |
=== modified file 'Mailman/Utils.py'
|
|
|
49da8b |
--- a/Mailman/Utils.py 2015-01-23 23:50:47 +0000
|
|
|
49da8b |
+++ b/Mailman/Utils.py 2015-03-27 18:14:06 +0000
|
|
|
49da8b |
@@ -100,6 +100,12 @@
|
|
|
49da8b |
#
|
|
|
49da8b |
# The former two are for 2.1alpha3 and beyond, while the latter two are
|
|
|
49da8b |
# for all earlier versions.
|
|
|
49da8b |
+ #
|
|
|
49da8b |
+ # But first ensure the list name doesn't contain a path traversal
|
|
|
49da8b |
+ # attack.
|
|
|
49da8b |
+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
|
|
|
49da8b |
+ syslog('mischief', 'Hostile listname: %s', listname)
|
|
|
49da8b |
+ return False
|
|
|
49da8b |
basepath = Site.get_listpath(listname)
|
|
|
49da8b |
for ext in ('.pck', '.pck.last', '.db', '.db.last'):
|
|
|
49da8b |
dbfile = os.path.join(basepath, 'config' + ext)
|
|
|
49da8b |
|