diff options
| author | msapiro | 2005-12-12 22:27:15 +0000 |
|---|---|---|
| committer | msapiro | 2005-12-12 22:27:15 +0000 |
| commit | 1e15a968a187bdb42904467349c65be89ac0959d (patch) | |
| tree | 5e7901b5641821136b95b5ac416eb06162363724 | |
| parent | c24125dacc8ff06289973be3ef034ee47b6cfd0b (diff) | |
| download | mailman-1e15a968a187bdb42904467349c65be89ac0959d.tar.gz mailman-1e15a968a187bdb42904467349c65be89ac0959d.tar.zst mailman-1e15a968a187bdb42904467349c65be89ac0959d.zip | |
| -rw-r--r-- | Mailman/Cgi/private.py | 33 | ||||
| -rw-r--r-- | NEWS | 5 |
2 files changed, 32 insertions, 6 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py index cbab3b066..7dcd39cab 100644 --- a/Mailman/Cgi/private.py +++ b/Mailman/Cgi/private.py @@ -12,7 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. """Provide a password-interface wrapper around private archives. """ @@ -67,10 +68,17 @@ def main(): return path = os.environ.get('PATH_INFO') + tpath = true_path(path) + if tpath <> path[1:]: + msg = _('Private archive - "./" and "../" not allowed in URL.') + doc.SetTitle(msg) + doc.AddItem(Header(2, msg)) + print doc.Format() + syslog('mischief', 'Private archive hostile path: %s', path) + return # BAW: This needs to be converted to the Site module abstraction true_filename = os.path.join( - mm_cfg.PRIVATE_ARCHIVE_FILE_DIR, - true_path(path)) + mm_cfg.PRIVATE_ARCHIVE_FILE_DIR, tpath) listname = parts[0].lower() mboxfile = '' @@ -127,11 +135,24 @@ def main(): # Output the password form charset = Utils.GetCharSet(mlist.preferred_language) print 'Content-type: text/html; charset=' + charset + '\n\n' - while path and path[0] == '/': - path=path[1:] # Remove leading /'s + # Put the original full path in the authorization form, but avoid + # trailing slash if we're not adding parts. We add it below. + action = mlist.GetScriptURL('private', absolute=1) + if parts[1:]: + action = os.path.join(action, SLASH.join(parts[1:])) + # If we added '/index.html' to true_filename, add a slash to the + # URL. We need this because we no longer add the trailing slash in + # the private.html template. It's always OK to test parts[-1] + # since we've already verified parts[0] is listname. + # The basic rule is if the post URL (action) is a directory, it must + # be slash terminated, and not if it's a file. Otherwise, relative + # links in the target archive page don't work. + if true_filename.endswith('/index.html') and \ + parts[-1] <> 'index.html': + action += SLASH print Utils.maketext( 'private.html', - {'action' : mlist.GetScriptURL('private', absolute=1), + {'action' : action, 'realname': mlist.real_name, 'message' : message, }, mlist=mlist) @@ -17,6 +17,9 @@ Here is a history of user visible changes to Mailman. Security + - The fix for CAN-2005-0202 has been enhanced to issue an appropriate + message instead of just quietly dropping ./ and ../ from URLs. + - A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has been solved in mailman-2.1.6, there may be more cases where ToDigest.send_digests() can block regular delivery. @@ -47,6 +50,8 @@ Here is a history of user visible changes to Mailman. Bug fixes and other patches + - Fix private.py to go to the original URL after authorization (1080943). + - Fix bounce log score messages to be more consistent. - Fix bin/remove_members to accept no arguments when both --fromall and |