Update of /cvsroot/mailman/mailman/Mailman/Cgi In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv29511
Modified Files: private.py Log Message: Fix XSS bug: Thanks Moritz Naumann. (CVE-2006-1512) Index: private.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v retrieving revision 2.22 retrieving revision 2.23 diff -u -d -r2.22 -r2.23 --- private.py 30 Dec 2005 18:56:46 -0000 2.22 +++ private.py 4 Apr 2006 23:57:42 -0000 2.23 @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2006 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -148,9 +148,10 @@ # page don't work. if true_filename.endswith('/index.html') and parts[-1] <> 'index.html': action += SLASH + # Escape web input parameter to avoid cross-site scripting. print Utils.maketext( 'private.html', - {'action' : action, + {'action' : Utils.websafe(action), 'realname': mlist.real_name, 'message' : message, }, mlist=mlist) _______________________________________________ Mailman-checkins mailing list Mailman-checkins@python.org Unsubscribe: http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org