author: msapiro 2006-07-07 17:55:47 +0000
committer: msapiro 2006-07-07 17:55:47 +0000
commit: 60b723291e592ff7925e1b15b79161d1cdac5938 (patch)
tree: e8354261d5e0ce32c365fbb14bbc388ad85f9664 /Mailman/Utils.py
parent: c2f1602717fa63c5252a3178a6575c2ac943fbc5 (diff)
download: mailman-60b723291e592ff7925e1b15b79161d1cdac5938.tar.gz
mailman-60b723291e592ff7925e1b15b79161d1cdac5938.tar.zst
mailman-60b723291e592ff7925e1b15b79161d1cdac5938.zip
1 files changed, 63 insertions, 0 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 5e319cad3..42bacc16a 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -47,6 +47,7 @@ from Mailman.SafeDict import SafeDict
 
 EMPTYSTRING = ''
 UEMPTYSTRING = u''
+CR = '\r'
 NL = '\n'
 DOT = '.'
 IDENTCHARS = ascii_letters + digits + '_'
@@ -206,9 +207,16 @@ def ValidateEmail(s):
 
 
 
+# Patterns which may be used to form malicious path to inject a new
+# line in the mailman error log. (TK: advisory by Moritz Naumann)
+CRNLpat = re.compile(r'[^\x21-\x7e]')
+
 def GetPathPieces(envar='PATH_INFO'):
     path = os.environ.get(envar)
     if path:
+        if CRNLpat.search(path):
+            path = CRNLpat.split(path)[0]
+            log.error('Warning: Possible malformed path attack.')
         return [p for p in path.split('/') if p]
     return None
 
@@ -849,3 +857,58 @@ def oneline(s, cset):
     except (LookupError, UnicodeError, ValueError, HeaderParseError):
         # possibly charset problem. return with undecoded string in one line.
         return EMPTYSTRING.join(s.splitlines())
+
+
+def strip_verbose_pattern(pattern):
+    # Remove white space and comments from a verbose pattern and return a
+    # non-verbose, equivalent pattern.  Replace CR and NL in the result
+    # with '\\r' and '\\n' respectively to avoid multi-line results.
+    if not isinstance(pattern, str):
+        return pattern
+    newpattern = ''
+    i = 0
+    inclass = False
+    skiptoeol = False
+    copynext = False
+    while i < len(pattern):
+        c = pattern[i]
+        if copynext:
+            if c == NL:
+                newpattern += '\\n'
+            elif c == CR:
+                newpattern += '\\r'
+            else:
+                newpattern += c
+            copynext = False
+        elif skiptoeol:
+            if c == NL:
+                skiptoeol = False
+        elif c == '#' and not inclass:
+            skiptoeol = True
+        elif c == '[' and not inclass:
+            inclass = True
+            newpattern += c
+            copynext = True
+        elif c == ']' and inclass:
+            inclass = False
+            newpattern += c
+        elif re.search('\s', c):
+            if inclass:
+                if c == NL:
+                    newpattern += '\\n'
+                elif c == CR:
+                    newpattern += '\\r'
+                else:
+                    newpattern += c
+        elif c == '\\' and not inclass:
+            newpattern += c
+            copynext = True
+        else:
+            if c == NL:
+                newpattern += '\\n'
+            elif c == CR:
+                newpattern += '\\r'
+            else:
+                newpattern += c
+        i += 1
+    return newpattern
author	msapiro	2006-07-07 17:55:47 +0000
committer	msapiro	2006-07-07 17:55:47 +0000
commit	60b723291e592ff7925e1b15b79161d1cdac5938 (patch)
tree	e8354261d5e0ce32c365fbb14bbc388ad85f9664 /Mailman/Utils.py
parent	c2f1602717fa63c5252a3178a6575c2ac943fbc5 (diff)
download	mailman-60b723291e592ff7925e1b15b79161d1cdac5938.tar.gz mailman-60b723291e592ff7925e1b15b79161d1cdac5938.tar.zst mailman-60b723291e592ff7925e1b15b79161d1cdac5938.zip