Forward port security patch from Mailman 2.0.8:

    Fixes to prevent cross-site scripting exploits.  See
    http://www.cert.org/advisories/CA-2000-02.html

    Reported by zeno@cgisecurity.com

    Fix is to cgi.escape() any strings regurgitated from the url back to
    the browser in the html response.

1 files changed, 6 insertions, 2 deletions

diff --git a/Mailman/Cgi/confirm.py b/Mailman/Cgi/confirm.py
index 50fb59b62..869100db0 100644
--- a/Mailman/Cgi/confirm.py
+++ b/Mailman/Cgi/confirm.py
@@ -49,7 +49,9 @@ def main():
     try:
         mlist = MailList.MailList(listname, lock=0)
     except Errors.MMListError, e:
-        bad_confirmation(doc, _('No such list <em>%(listname)s</em>'))
+        # Avoid cross-site scripting attacks
+        safelistname = cgi.escape(listname)
+        bad_confirmation(doc, _('No such list <em>%(safelistname)s</em>'))
         doc.AddItem(MailmanLogo())
         print doc.Format()
         syslog('error', 'No such list "%s": %s', listname, e)
@@ -81,8 +83,10 @@ def main():
 
     days = int(mm_cfg.PENDING_REQUEST_LIFE / mm_cfg.days(1) + 0.5)
     confirmurl = mlist.GetScriptURL('confirm', absolute=1)
+    # Avoid cross-site scripting attacks
+    safecookie = cgi.escape(cookie)
     badconfirmstr = _('''<b>Invalid confirmation string:</b>
-    %(cookie)s.
+    %(safecookie)s.
 
     <p>Note that confirmation strings expire approximately
     %(days)s days after the initial subscription request.  If your