rpms / mailman

Clone
Source Code
GIT

Blame SOURCES/mailman-long_text_description.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-2.1 c8-stream-2.1 c8s-stream-2.1
  1.   c7
  2.   SOURCES
  3.   mailman-long_text_description.patch
Blob History Raw
5e5744 
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
5e5744 
index 7cd7f9b..aebc1c9 100644
5e5744 
--- a/Mailman/Utils.py
5e5744 
+++ b/Mailman/Utils.py
5e5744 
@@ -259,10 +259,25 @@ CRNLpat = re.compile(r'[^\x21-\x7e]')
5e5744 
 def GetPathPieces(envar='PATH_INFO'):
5e5744 
     path = os.environ.get(envar)
5e5744 
     if path:
5e5744 
+        remote = os.environ.get('HTTP_FORWARDED_FOR',
5e5744 
+                 os.environ.get('HTTP_X_FORWARDED_FOR',
5e5744 
+                 os.environ.get('REMOTE_ADDR',
5e5744 
+                                'unidentified origin')))
5e5744 
         if CRNLpat.search(path):
5e5744 
             path = CRNLpat.split(path)[0]
5e5744 
             syslog('error', 'Warning: Possible malformed path attack.')
5e5744 
-        return [p for p in path.split('/') if p]
5e5744 
+        # Check for listname injections that won't be websafed.
5e5744 
+        pieces = [p for p in path.split('/') if p]
5e5744 
+        # Get the longest listname or 20 if none.
5e5744 
+        if list_names():
5e5744 
+            longest = max([len(x) for x in list_names()])
5e5744 
+        else:
5e5744 
+            longest = 20
5e5744 
+        if pieces and len(pieces[0]) > longest:
5e5744 
+            syslog('mischief',
5e5744 
+               'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
5e5744 
+            pieces[0] = pieces[0][:longest] + '...'
5e5744 
+        return pieces
5e5744 
     return None
5e5744
5e5744

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation