diff options
| author | bwarsaw | 2000-09-29 00:05:05 +0000 |
|---|---|---|
| committer | bwarsaw | 2000-09-29 00:05:05 +0000 |
| commit | ceddf83bf0000704b4c2c3428db124e88d4a1ee4 (patch) | |
| tree | afb489a2eb004c39366553fb4cb12d9da5c8b7e7 /Mailman/Cgi/edithtml.py | |
| parent | 8fab2b4ea200b7fbdac7e5f99881f07047ef467c (diff) | |
| download | mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.tar.gz mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.tar.zst mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.zip | |
Fixes for a minor local security hole. Some of the CGI scripts could
bomb with tracebacks if PATH_INFO environment variable wasn't defined.
Fixed this by making them all use Utils.GetPathPieces() and "doing
something sensible" when that returned a false value.
Also, edithtml is now hidden behind a login screen, so there's no need
to enter the list password to edit the html. You can't even get to
the list of files to edit unless you've admin authenticated. Closes
SF bug #114091, Jitterbug PR# 24.
Diffstat (limited to 'Mailman/Cgi/edithtml.py')
| -rw-r--r-- | Mailman/Cgi/edithtml.py | 44 |
1 files changed, 16 insertions, 28 deletions
diff --git a/Mailman/Cgi/edithtml.py b/Mailman/Cgi/edithtml.py index 45a326e26..76c3338e9 100644 --- a/Mailman/Cgi/edithtml.py +++ b/Mailman/Cgi/edithtml.py @@ -25,6 +25,7 @@ from Mailman import MailList from Mailman.htmlformat import * from Mailman.HTMLFormatter import HTMLFormatter from Mailman import Errors +from Mailman.Cgi import Auth from Mailman.Logging.Syslog import syslog @@ -38,11 +39,8 @@ def main(): ) doc = Document() - - path = os.environ['PATH_INFO'] - parts = Utils.GetPathPieces(path) - - if len(parts) < 1: + parts = Utils.GetPathPieces() + if not parts: doc.AddItem(Header(2, "List name is required.")) print doc.Format(bgcolor='#ffffff') return @@ -56,6 +54,14 @@ def main(): syslog('error', 'No such list "%s": %s\n' % (listname, e)) return + # Must be authenticated to get any farther + cgidata = cgi.FieldStorage() + try: + Auth.authenticate(mlist, cgidata) + except Auth.NotLoggedInError, e: + Auth.loginpage(mlist, 'edithtml', e.message) + return + # get the list._template_dir attribute HTMLFormatter.InitVars(mlist) @@ -87,20 +93,8 @@ def main(): return try: - cgi_data = cgi.FieldStorage() - if len(cgi_data.keys()): - if not cgi_data.has_key('adminpw'): - m = 'Error: You must supply the admin password to edit html.' - doc.AddItem(Header(3, Italic(FontAttr(m, color="ff5060")))) - doc.AddItem('<hr>') - else: - try: - mlist.ConfirmAdminPassword(cgi_data['adminpw'].value) - ChangeHTML(mlist, cgi_data, template_name, doc) - except Errors.MMBadPasswordError: - m = 'Error: Incorrect admin password.' - doc.AddItem(Header(3, Italic(FontAttr(m, color="ff5060")))) - doc.AddItem('<hr>') + if cgidata.keys(): + ChangeHTML(mlist, cgidata, template_name, doc) FormatHTML(mlist, doc, template_name, template_info) finally: doc.AddItem(mlist.GetMailmanFooter()) @@ -120,17 +114,11 @@ def FormatHTML(mlist, doc, template_name, template_info): doc.AddItem('<p>') doc.AddItem('<hr>') form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name) - doc.AddItem(form) - - password_table = Table() - password_table.AddRow(['Enter the admin password to edit html:', - PasswordBox('adminpw')]) - password_table.AddRow(['When you are done making changes...', - SubmitButton('submit', 'Submit Changes')]) - - form.AddItem(password_table) text = Utils.QuoteHyperChars(mlist.SnarfHTMLTemplate(template_name)) form.AddItem(TextArea('html_code', text, rows=40, cols=75)) + form.AddItem('<p>When you are done making changes...') + form.AddItem(SubmitButton('submit', 'Submit Changes')) + doc.AddItem(form) |