------------------------------------------------------------
revno: 1807
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Fri 2019-03-01 18:24:14 -0800
message:
Implement MAX_LISTNAME_LENGTH to avoid calculating on each web access.
modified:
Mailman/Defaults.py.in
Mailman/Utils.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in 2018-07-12 03:14:02 +0000
+++ Mailman/Defaults.py.in 2019-03-02 02:24:14 +0000
@@ -166,6 +166,15 @@
# character that doesn't match this class. Do not include '/' in this list.
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+# The number of characters in the longest listname in the installation. The
+# fix for LP: #1780874 truncates list names in web URLs to this length to avoid
+# a content spoofing vulnerability. If this is left at its default value of
+# 0, the length of the longest listname is calculated on every web access.
+# This can have performance implications in installations with a very large
+# number of lists. To use this feature to avoid the calculation, set this to
+# a number equal to the length of the longest expected valid list name.
+MAX_LISTNAME_LENGTH = 0
+
# Shall the user's real names be displayed along with their email addresses
# in list rosters? Defaults to No to preserve prior behavior.
ROSTER_DISPLAY_REALNAME = No
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2019-01-29 05:48:13 +0000
+++ Mailman/Utils.py 2019-03-02 02:24:14 +0000
@@ -292,11 +292,16 @@
remote)
# Check for listname injections that won't be websafed.
pieces = [p for p in path.split('/') if p]
- # Get the longest listname or 20 if none.
- if list_names():
- longest = max([len(x) for x in list_names()])
+ # Get the longest listname or 20 if none or use MAX_LISTNAME_LENGTH if
+ # provided > 0.
+ if mm_cfg.MAX_LISTNAME_LENGTH > 0:
+ longest = mm_cfg.MAX_LISTNAME_LENGTH
else:
- longest = 20
+ lst_names = list_names()
+ if lst_names:
+ longest = max([len(x) for x in lst_names])
+ else:
+ longest = 20
if pieces and len(pieces[0]) > longest:
syslog('mischief',
'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
=== modified file 'NEWS'
--- NEWS 2018-12-30 17:40:15 +0000
+++ NEWS 2019-03-02 02:24:14 +0000
@@ -14,6 +14,13 @@
From: addresses listed or matching listed regexps. This can be used
to modify mail to addresses that don't accept external mail From:
themselves.
+
+ - There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874
+ obtains a list of the names of all the all the lists in the installation
+ in order to determine the maximum length of a legitimate list name. It
+ does this on every web access and on sites with a very large number of
+ lists, this can have performance implications. See the description in
+ Defaults.py for more information.
Bug Fixes and other patches
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
