diff options
| -rw-r--r-- | Mailman/Archiver/HyperArch.py | 4 | ||||
| -rw-r--r-- | Mailman/Cgi/admin.py | 2 | ||||
| -rw-r--r-- | Mailman/Cgi/admindb.py | 14 | ||||
| -rw-r--r-- | Mailman/Cgi/confirm.py | 10 | ||||
| -rw-r--r-- | Mailman/Cgi/edithtml.py | 7 | ||||
| -rw-r--r-- | Mailman/Cgi/listinfo.py | 2 | ||||
| -rw-r--r-- | Mailman/Cgi/options.py | 10 | ||||
| -rw-r--r-- | Mailman/Cgi/private.py | 2 | ||||
| -rw-r--r-- | Mailman/Cgi/rmlist.py | 2 | ||||
| -rw-r--r-- | Mailman/Cgi/roster.py | 2 | ||||
| -rw-r--r-- | Mailman/Cgi/subscribe.py | 2 | ||||
| -rw-r--r-- | Mailman/Handlers/Scrubber.py | 5 | ||||
| -rw-r--r-- | Mailman/Utils.py | 7 | ||||
| -rw-r--r-- | Mailman/htmlformat.py | 2 |
14 files changed, 34 insertions, 37 deletions
diff --git a/Mailman/Archiver/HyperArch.py b/Mailman/Archiver/HyperArch.py index 32b5d6492..8aaac8319 100644 --- a/Mailman/Archiver/HyperArch.py +++ b/Mailman/Archiver/HyperArch.py @@ -101,9 +101,9 @@ html_charset = '<META http-equiv="Content-Type" ' \ def CGIescape(arg): if isinstance(arg, types.UnicodeType): - s = cgi.escape(arg) + s = Utils.websafe(arg) else: - s = cgi.escape(str(arg)) + s = Utils.websafe(str(arg)) return unicode_quote(s.replace('"', '"')) # Parenthesized human name diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py index 01514b49e..54a041eee 100644 --- a/Mailman/Cgi/admin.py +++ b/Mailman/Cgi/admin.py @@ -66,7 +66,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) admin_overview(_('No such list <em>%(safelistname)s</em>')) syslog('error', 'admin.py access for non-existent list: %s', listname) diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py index 8a887bf48..18d96420e 100644 --- a/Mailman/Cgi/admindb.py +++ b/Mailman/Cgi/admindb.py @@ -81,7 +81,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) handle_no_list(_('No such list <em>%(safelistname)s</em>')) syslog('error', 'No such list "%s": %s\n', listname, e) return @@ -193,7 +193,7 @@ def main(): } addform = 1 if sender: - esender = cgi.escape(sender) + esender = Utils.websafe(sender) d['description'] = _("all of %(esender)s's held messages.") doc.AddItem(Utils.maketext('admindbpreamble.html', d, raw=1, mlist=mlist)) @@ -353,7 +353,7 @@ def show_helds_overview(mlist, form): senders.sort() for sender in senders: qsender = quote_plus(sender) - esender = cgi.escape(sender) + esender = Utils.websafe(sender) senderurl = admindburl + '?sender=' + qsender # The encompassing sender table stable = Table(border=1) @@ -448,7 +448,7 @@ def show_helds_overview(mlist, form): t = Table(border=0) t.AddRow([Link(admindburl + '?msgid=%d' % id, '[%d]' % counter), Bold(_('Subject:')), - cgi.escape(subject) + Utils.websafe(subject) ]) t.AddRow([' ', Bold(_('Size:')), str(size) + _(' bytes')]) t.AddRow([' ', Bold(_('Reason:')), @@ -556,13 +556,13 @@ def show_post_requests(mlist, id, info, total, count, form): else: body = EMPTYSTRING.join(lines) hdrtxt = NL.join(['%s: %s' % (k, v) for k, v in msg.items()]) - hdrtxt = cgi.escape(hdrtxt) + hdrtxt = Utils.websafe(hdrtxt) # Okay, we've reconstituted the message just fine. Now for the fun part! t = Table(cellspacing=0, cellpadding=0, width='100%') t.AddRow([Bold(_('From:')), sender]) row, col = t.GetCurrentRowIndex(), t.GetCurrentCellIndex() t.AddCellInfo(row, col-1, align='right') - t.AddRow([Bold(_('Subject:')), cgi.escape(subject)]) + t.AddRow([Bold(_('Subject:')), Utils.websafe(subject)]) t.AddCellInfo(row+1, col-1, align='right') t.AddRow([Bold(_('Reason:')), _(reason)]) t.AddCellInfo(row+2, col-1, align='right') @@ -604,7 +604,7 @@ def show_post_requests(mlist, id, info, total, count, form): row, col = t.GetCurrentRowIndex(), t.GetCurrentCellIndex() t.AddCellInfo(row, col-1, align='right') t.AddRow([Bold(_('Message Excerpt:')), - TextArea('fulltext-%d' % id, cgi.escape(body), + TextArea('fulltext-%d' % id, Utils.websafe(body), rows=10, cols=80, readonly=1)]) t.AddCellInfo(row+1, col-1, align='right') form.AddItem(t) diff --git a/Mailman/Cgi/confirm.py b/Mailman/Cgi/confirm.py index 4d9304a9a..9cd021a07 100644 --- a/Mailman/Cgi/confirm.py +++ b/Mailman/Cgi/confirm.py @@ -51,7 +51,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) bad_confirmation(doc, _('No such list <em>%(safelistname)s</em>')) doc.AddItem(MailmanLogo()) print doc.Format() @@ -85,7 +85,7 @@ def main(): days = int(mm_cfg.PENDING_REQUEST_LIFE / mm_cfg.days(1) + 0.5) confirmurl = mlist.GetScriptURL('confirm', absolute=1) # Avoid cross-site scripting attacks - safecookie = cgi.escape(cookie) + safecookie = Utils.websafe(cookie) badconfirmstr = _('''<b>Invalid confirmation string:</b> %(safecookie)s. @@ -561,7 +561,7 @@ def heldmsg_confirm(mlist, doc, cookie): # the user who posted the message. op, id = Pending.confirm(cookie, expunge=1) ign, sender, msgsubject, ign, ign, ign = mlist.GetRecord(id) - subject = cgi.escape(msgsubject) + subject = Utils.websafe(msgsubject) lang = mlist.getMemberLanguage(sender) i18n.set_language(lang) doc.set_language(lang) @@ -617,8 +617,8 @@ def heldmsg_prompt(mlist, doc, cookie, id): i18n.set_language(lang) doc.set_language(lang) - subject = cgi.escape(msgsubject) - reason = cgi.escape(givenreason) + subject = Utils.websafe(msgsubject) + reason = Utils.websafe(givenreason) listname = mlist.real_name table.AddRow([_('''Your confirmation is required in order to cancel the posting of your message to the mailing list <em>%(listname)s</em>: diff --git a/Mailman/Cgi/edithtml.py b/Mailman/Cgi/edithtml.py index 7ca5a904c..cd235162e 100644 --- a/Mailman/Cgi/edithtml.py +++ b/Mailman/Cgi/edithtml.py @@ -63,7 +63,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) doc.AddItem(Header(2, _('No such list <em>%(safelistname)s</em>'))) print doc.Format() syslog('error', 'No such list "%s": %s', listname, e) @@ -99,7 +99,7 @@ def main(): break else: # Avoid cross-site scripting attacks - safetemplatename = cgi.escape(template_name) + safetemplatename = Utils.websafe(template_name) doc.SetTitle(_('Edit HTML : Error')) doc.AddItem(Header(2, _("%(safetemplatename)s: Invalid template"))) doc.AddItem(mlist.GetMailmanFooter()) @@ -140,8 +140,7 @@ def FormatHTML(mlist, doc, template_name, template_info): doc.AddItem('<p>') doc.AddItem('<hr>') form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name) - text = Utils.QuoteHyperChars( - Utils.maketext(template_name, raw=1, mlist=mlist)) + text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist)) form.AddItem(TextArea('html_code', text, rows=40, cols=75)) form.AddItem('<p>' + _('When you are done making changes...')) form.AddItem(SubmitButton('submit', _('Submit Changes'))) diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index e64693a55..0768ab997 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -47,7 +47,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) listinfo_overview(_('No such list <em>%(safelistname)s</em>')) syslog('error', 'No such list "%s": %s', listname, e) return diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index d0570a85b..de5facfae 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -63,7 +63,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) title = _('CGI script error') doc.SetTitle(title) doc.AddItem(Header(2, title)) @@ -100,7 +100,7 @@ def main(): user = Utils.LCDomain(Utils.UnobscureEmail(SLASH.join(parts[1:]))) # Avoid cross-site scripting attacks - safeuser = cgi.escape(user) + safeuser = Utils.websafe(user) # Sanity check the user, but be careful about leaking membership # information when we're using private rosters. if not mlist.isMember(user) and mlist.private_roster == 0: @@ -912,11 +912,11 @@ def topic_details(mlist, doc, user, cpuser, userlang, varhelp): table.AddCellInfo(table.GetCurrentRowIndex(), 0, colspan=2, bgcolor=mm_cfg.WEB_SUBHEADER_COLOR) table.AddRow([Bold(Label(_('Name:'))), - Utils.QuoteHyperChars(name)]) + Utils.websafe(name)]) table.AddRow([Bold(Label(_('Pattern (as regexp):'))), - '<pre>' + Utils.QuoteHyperChars(pattern) + '</pre>']) + '<pre>' + Utils.websafe(pattern) + '</pre>']) table.AddRow([Bold(Label(_('Description:'))), - Utils.QuoteHyperChars(description)]) + Utils.websafe(description)]) # Make colors look nice for row in range(1, 4): table.AddCellInfo(row, 0, bgcolor=mm_cfg.WEB_ADMINITEM_COLOR) diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py index 71c30d17c..6b7af70ad 100644 --- a/Mailman/Cgi/private.py +++ b/Mailman/Cgi/private.py @@ -94,7 +94,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) msg = _('No such list <em>%(safelistname)s</em>') doc.SetTitle(_("Private Archive Error - %(msg)s")) doc.AddItem(Header(2, msg)) diff --git a/Mailman/Cgi/rmlist.py b/Mailman/Cgi/rmlist.py index eae50950c..4c308fa0f 100644 --- a/Mailman/Cgi/rmlist.py +++ b/Mailman/Cgi/rmlist.py @@ -58,7 +58,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) title = _('No such list <em>%(safelistname)s</em>') doc.SetTitle(title) doc.AddItem( diff --git a/Mailman/Cgi/roster.py b/Mailman/Cgi/roster.py index 1f1aa6d0f..71c062400 100644 --- a/Mailman/Cgi/roster.py +++ b/Mailman/Cgi/roster.py @@ -53,7 +53,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) error_page(_('No such list <em>%(safelistname)s</em>')) syslog('error', 'roster: no such list "%s": %s', listname, e) return diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index 758d8f405..0b5a9d635 100644 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -56,7 +56,7 @@ def main(): mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: # Avoid cross-site scripting attacks - safelistname = cgi.escape(listname) + safelistname = Utils.websafe(listname) doc.AddItem(Header(2, _("Error"))) doc.AddItem(Bold(_('No such list <em>%(safelistname)s</em>'))) print doc.Format() diff --git a/Mailman/Handlers/Scrubber.py b/Mailman/Handlers/Scrubber.py index 0d101da41..dfdb918b4 100644 --- a/Mailman/Handlers/Scrubber.py +++ b/Mailman/Handlers/Scrubber.py @@ -20,7 +20,6 @@ import os import re import sha -import cgi import errno import mimetypes import tempfile @@ -99,7 +98,7 @@ URL: %(url)s else: # HTML-escape it and store it as an attachment, but make it # look a /little/ bit prettier. :( - payload = cgi.escape(part.get_payload()) + payload = Utils.websafe(part.get_payload()) # For whitespace in the margin, change spaces into # non-breaking spaces, and tabs into 8 of those. Then use a # mono-space font. Still looks hideous to me, but then I'd @@ -299,7 +298,7 @@ def save_attachment(mlist, msg, filter_html=1): elif msg.get_type() == 'message/rfc822': submsg = msg.get_payload() # BAW: I'm sure we can eventually do better than this. :( - decodedpayload = cgi.escape(str(submsg)) + decodedpayload = Utils.websafe(str(submsg)) fp = open(path, 'w') fp.write(decodedpayload) fp.close() diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 86c77c1ef..3b300c1b8 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -344,9 +344,8 @@ def check_global_password(response, siteadmin=1): -def QuoteHyperChars(str): - from cgi import escape - return escape(str, quote=1) +def websafe(s): + return cgi.escape(s, quote=1) @@ -563,7 +562,7 @@ def GetRequestURI(fallback=None, escape=1): elif os.environ.has_key('SCRIPT_NAME') and os.environ.has_key('PATH_INFO'): url = os.environ['SCRIPT_NAME'] + os.environ['PATH_INFO'] if escape: - return cgi.escape(url) + return websafe(url) return url diff --git a/Mailman/htmlformat.py b/Mailman/htmlformat.py index 37765332d..4e9a1e6b2 100644 --- a/Mailman/htmlformat.py +++ b/Mailman/htmlformat.py @@ -361,7 +361,7 @@ class QuotedContainer(Container): # If I don't start a new I ignore indent output = '<%s>%s</%s>' % ( self.tag, - Utils.QuoteHyperChars(Container.Format(self, indent)), + Utils.websafe(Container.Format(self, indent)), self.tag) return output |