Update of /cvsroot/mailman/mailman/Mailman/Cgi
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19291
Modified Files:
Tag: Release_2_1-maint
private.py
Log Message:
Fix XSS bug: Thanks Moritz Naumann. (CVE-2006-1512)
Index: private.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v
retrieving revision 2.16.2.7
retrieving revision 2.16.2.8
diff -u -d -r2.16.2.7 -r2.16.2.8
--- private.py 30 Dec 2005 18:50:07 -0000 2.16.2.7
+++ private.py 4 Apr 2006 23:47:14 -0000 2.16.2.8
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -148,9 +148,10 @@
# page don't work.
if true_filename.endswith('/index.html') and parts[-1] <> 'index.html':
action += SLASH
+ # Escape web input parameter to avoid cross-site scripting.
print Utils.maketext(
'private.html',
- {'action' : action,
+ {'action' : Utils.websafe(action),
'realname': mlist.real_name,
'message' : message,
}, mlist=mlist)
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
