diff options
| author | bwarsaw | 2002-05-20 14:34:42 +0000 |
|---|---|---|
| committer | bwarsaw | 2002-05-20 14:34:42 +0000 |
| commit | 36d1d1448be770bfc392dc6a374ad675089a475b (patch) | |
| tree | aa20ade5d54247d6aa26692ac0ce87848d6d0e36 /Mailman/Utils.py | |
| parent | a2d3f7eb816655740a2251c902cdeb3244b085ac (diff) | |
| download | mailman-36d1d1448be770bfc392dc6a374ad675089a475b.tar.gz mailman-36d1d1448be770bfc392dc6a374ad675089a475b.tar.zst mailman-36d1d1448be770bfc392dc6a374ad675089a475b.zip | |
Diffstat (limited to 'Mailman/Utils.py')
| -rw-r--r-- | Mailman/Utils.py | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 3c830ea71..86c77c1ef 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -31,6 +31,7 @@ import urlparse import sha import errno import time +import cgi import email.Iterators from string import whitespace, digits try: @@ -542,7 +543,7 @@ def rmdirhier(dir): -def GetRequestURI(fallback=None): +def GetRequestURI(fallback=None, escape=1): """Return the full virtual path this CGI script was invoked with. Newer web servers seems to supply this info in the REQUEST_URI @@ -553,13 +554,17 @@ def GetRequestURI(fallback=None): Optional argument `fallback' (default `None') is returned if both of the above methods fail. + The url will be cgi escaped to prevent cross-site scripting attacks, + unless `escape' is set to 0. """ + url = fallback if os.environ.has_key('REQUEST_URI'): - return os.environ['REQUEST_URI'] + url = os.environ['REQUEST_URI'] elif os.environ.has_key('SCRIPT_NAME') and os.environ.has_key('PATH_INFO'): - return os.environ['SCRIPT_NAME'] + os.environ['PATH_INFO'] - else: - return fallback + url = os.environ['SCRIPT_NAME'] + os.environ['PATH_INFO'] + if escape: + return cgi.escape(url) + return url |