Revision: 8237
http://svn.sourceforge.net/mailman/?rev=8237&view=rev
Author: msapiro
Date: 2007-06-15 15:22:33 -0700 (Fri, 15 Jun 2007)
Log Message:
-----------
Scrubber.py - If a malformed message has Content-Type: with a
charset="quoted-printable" parameter, quopri_encode can be
called at t = t.encode(charset, 'replace') which throws
an AssertionError. See log message for r. 8213. Caught this.
- Malformed RFC 2047 encoded filename= parameter can have
a null byte or other garbage in the extension. Cleaned this.
- A message with a message/delivery-status part returns
None for the part's payload. Checked for a payload before
attempting unicode/encode.
Modified Paths:
--------------
branches/Release_2_1-maint/mailman/Mailman/Handlers/Scrubber.py
Modified: branches/Release_2_1-maint/mailman/Mailman/Handlers/Scrubber.py
===================================================================
--- branches/Release_2_1-maint/mailman/Mailman/Handlers/Scrubber.py
2007-06-12 21:57:25 UTC (rev 8236)
+++ branches/Release_2_1-maint/mailman/Mailman/Handlers/Scrubber.py
2007-06-15 22:22:33 UTC (rev 8237)
@@ -373,7 +373,9 @@
partcharset = str(partcharset)
else:
partcharset = part.get_content_charset()
- if partcharset and partcharset <> charset:
+ # If the part is Content-Type: message/delivery-status, payload is
+ # None so test here.
+ if t and partcharset and partcharset <> charset:
try:
t = unicode(t, partcharset, 'replace')
except (UnicodeError, LookupError, ValueError, AssertionError):
@@ -385,7 +387,7 @@
try:
# Should use HTML-Escape, or try generalizing to UTF-8
t = t.encode(charset, 'replace')
- except (UnicodeError, LookupError, ValueError):
+ except (UnicodeError, LookupError, ValueError, AssertionError):
t = t.encode(lcset, 'replace')
# Separation is useful
if isinstance(t, StringType):
@@ -436,7 +438,7 @@
# i18n file name is encoded
lcset = Utils.GetCharSet(mlist.preferred_language)
filename = Utils.oneline(msg.get_filename(''), lcset)
- fnext = os.path.splitext(filename)[1]
+ filename, fnext = os.path.splitext(filename)
# For safety, we should confirm this is valid ext for content-type
# but we can use fnext if we introduce fnext filtering
if mm_cfg.SCRUBBER_USE_ATTACHMENT_FILENAME_EXTENSION:
@@ -444,6 +446,8 @@
ext = fnext or guess_extension(ctype, fnext)
else:
ext = guess_extension(ctype, fnext)
+ # Allow only alphanumerics, dash, underscore, and dot
+ ext = sre.sub('', ext)
if not ext:
# We don't know what it is, so assume it's just a shapeless
# application/octet-stream, unless the Content-Type: is
@@ -461,7 +465,6 @@
try:
# Now base the filename on what's in the attachment, uniquifying it if
# necessary.
- filename = msg.get_filename()
if not filename or mm_cfg.SCRUBBER_DONT_USE_ATTACHMENT_FILENAME:
filebase = 'attachment'
else:
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
