1 files changed, 36 insertions, 16 deletions

diff --git a/scripts/driver b/scripts/driver
index 8949e44e3..ea43c40eb 100644
--- a/scripts/driver
+++ b/scripts/driver
@@ -1,6 +1,6 @@
 # -*- python -*-
 
-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2004 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -22,6 +22,20 @@ import sys
 
 # From here on we are as bulletproof as possible!
 
+# The driver script prints out a lot of information when a Mailman bug is
+# encountered.  This really helps for development, but it also reveals
+# information about the host system that some administrators are not
+# comfortable with.  By setting STEALTH_MODE to 1, you disable the printing of
+# this information to the web pages.  This information is still, and always,
+# printed in the error logs.
+STEALTH_MODE = 1
+
+# This will be set to the entity escaper.
+def websafe(s):
+    return s
+
+
+
 # This standard driver script is used to run CGI programs, wrapped in code
 # that catches errors, and displays them as HTML.  This guarantees that
 # (almost) any problem in the Mailman software doesn't result in a Web server
@@ -41,22 +55,31 @@ import sys
 #   This would indicate a serious problem with the Python installation, so
 #   it's also highly unlikely to occur.
 
-
 
 def run_main():
+    global STEALTH_MODE, websafe
+
     # These will ensure that even if something between now and the
     # creation of the real logger below fails, we can still get
     # *something* meaningful.
     logger = None
     try:
         import paths
+        # When running in non-stealth mode, we need to escape entities,
+        # otherwise we're vulnerable to cross-site scripting attacks.
+        try:
+            if not STEALTH_MODE:
+                from Mailman.Utils import websafe
+        except:
+            STEALTH_MODE = 1
+            raise
         # Map stderr to a logger, if possible.
         from Mailman.Logging.StampedLogger import StampedLogger
         logger = StampedLogger('error',
                                label='admin',
-                               manual_reprime=True,
-                               nofail=False,
-                               immediate=True)
+                               manual_reprime=1,
+                               nofail=0,
+                               immediate=1)
         # Collect stdout in a cStringIO so that if /any/ errors occur during
         # printing it won't mess up our diagnostics page.
         from cStringIO import StringIO
@@ -103,10 +126,9 @@ def print_traceback(logfp=None):
     except ImportError:
         traceback = None
     try:
-        from Mailman.mm_cfg import VERSION, STEALTH_MODE
+        from Mailman.mm_cfg import VERSION
     except ImportError:
         VERSION = '<undetermined>'
-        STEALTH_MODE = False
 
     # Write to the log file first.
     print >> logfp, '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'
@@ -132,11 +154,13 @@ please email a copy of this page to the webmaster for this site with
 a description of what happened.  Thanks!
 
 <h4>Traceback:</h4><p><pre>'''
+        exc_info = sys.exc_info()
         if traceback:
-            traceback.print_exc(file=sys.stdout)
+            for line in traceback.format_exception(*exc_info):
+                print websafe(line),
         else:
             print '[failed to import module traceback]'
-            print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
+            print '[exc: %s, var: %s]' % [websafe(x) for x in exc_info[0:2]]
         print '\n\n</pre></body>'
     else:
         print '''<p>Please inform the webmaster for this site of this
@@ -155,12 +179,6 @@ def print_environment(logfp=None):
     except ImportError:
         os = None
 
-    try:
-        from Mailman.mm_cfg import STEALTH_MODE
-    except ImportError:
-        VERSION = '&lt;undetermined&gt;'
-        STEALTH_MODE = False
-
     # Write some information about our Python executable to the log file.
     print >> logfp, '[----- Python Information -----]'
     print >> logfp, 'sys.version     =', sys.version
@@ -210,7 +228,9 @@ def print_environment(logfp=None):
 '''
         if os:
             for k, v in os.environ.items():
-                print '<tr><td><tt>', k, '</tt></td><td>', v, '</td></tr>'
+                print '<tr><td><tt>', websafe(k), \
+                      '</tt></td><td>', websafe(v), \
+                      '</td></tr>'
             print '</table>'
         else:
             print '<p><hr>[failed to import module os]'