Forward port security patch from Mailman 2.0.8:

Fixes to prevent cross-site scripting exploits. See http://www.cert.org/advisories/CA-2000-02.html Reported by zeno@cgisecurity.com Fix is to cgi.escape() any strings regurgitated from the url back to the browser in the html response.
author: bwarsaw 2001-11-30 08:00:20 +0000
committer: bwarsaw 2001-11-30 08:00:20 +0000
commit: 2573211cd38281e3ff9c18be8babdc3d82371bd7 (patch)
tree: 2a883a62071a0b24ae7d997803cbf4ec2b6d2f93 /Mailman/Cgi/admin.py
parent: 85cb1112319965a77f5b6aff2d702d8740d5f855 (diff)
download: mailman-2573211cd38281e3ff9c18be8babdc3d82371bd7.tar.gz
mailman-2573211cd38281e3ff9c18be8babdc3d82371bd7.tar.zst
mailman-2573211cd38281e3ff9c18be8babdc3d82371bd7.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py
index fcff2d755..3d7a80be4 100644
--- a/Mailman/Cgi/admin.py
+++ b/Mailman/Cgi/admin.py
@@ -61,7 +61,9 @@ def main():
     try:
         mlist = MailList.MailList(listname, lock=0)
     except Errors.MMListError, e:
-        admin_overview(_('No such list <em>%(listname)s</em>'))
+        # Avoid cross-site scripting attacks
+        safelistname = cgi.escape(listname)
+        admin_overview(_('No such list <em>%(safelistname)s</em>'))
         syslog('error', 'admin.py access for non-existent list: %s',
                listname)
         return
author	bwarsaw	2001-11-30 08:00:20 +0000
committer	bwarsaw	2001-11-30 08:00:20 +0000
commit	2573211cd38281e3ff9c18be8babdc3d82371bd7 (patch)
tree	2a883a62071a0b24ae7d997803cbf4ec2b6d2f93 /Mailman/Cgi/admin.py
parent	85cb1112319965a77f5b6aff2d702d8740d5f855 (diff)
download	mailman-2573211cd38281e3ff9c18be8babdc3d82371bd7.tar.gz mailman-2573211cd38281e3ff9c18be8babdc3d82371bd7.tar.zst mailman-2573211cd38281e3ff9c18be8babdc3d82371bd7.zip