-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/4/2010 5:59 PM, Mark Sapiro wrote: > I plan to release a Mailman 2.1.14 candidate release towards the end of > next week (Sept 9 or 10). This release will have enhanced XSS defenses > addressing two recently discovered vulnerabilities. Since release of the > code will potentially expose the vulnerabilities, I plan to publish a > patch against the 2.1.13 base with the fix before actually releasing the > 2.1.14 candidate. > > I will post the patch to the same 4 lists that this post is being sent > to in the early afternoon, GMT, on September 9. > > The vulnerabilities are obscure and can only be exploited by a list > owner, but if you are concerned about them you can plan to install the > patch.
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch. - -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMiOUnVVuXXpU7hpMRAkWlAJoCqVN2gSlNummYeDfq+BHcVfSKhACg5qrJ 7Idyd0aET0xWy11P6njxT3w= =9uxx -----END PGP SIGNATURE-----
=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py 2010-06-24 04:09:34 +0000
+++ Mailman/Cgi/listinfo.py 2010-09-05 14:38:30 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2009 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -97,7 +97,7 @@
else:
advertised.append((mlist.GetScriptURL('listinfo'),
mlist.real_name,
- mlist.description))
+ Utils.websafe(mlist.description)))
if msg:
greeting = FontAttr(msg, color="ff5060", size="+1")
else:
=== modified file 'Mailman/HTMLFormatter.py'
--- Mailman/HTMLFormatter.py 2008-02-03 19:27:07 +0000
+++ Mailman/HTMLFormatter.py 2010-09-05 00:15:08 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -383,8 +383,9 @@
'<mm-mailman-footer>' : self.GetMailmanFooter(),
'<mm-list-name>' : self.real_name,
'<mm-email-user>' : self._internal_name,
- '<mm-list-description>' : self.description,
- '<mm-list-info>' : BR.join(self.info.split(NL)),
+ '<mm-list-description>' : Utils.websafe(self.description),
+ '<mm-list-info>' :
+ '<!---->' + BR.join(self.info.split(NL)) + '<!---->',
'<mm-form-end>' : self.FormatFormEnd(),
'<mm-archive>' : self.FormatArchiveAnchor(),
'</mm-archive>' : '</a>',
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2009-08-01 19:22:34 +0000
+++ Mailman/Utils.py 2010-09-05 14:36:02 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2009 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2010 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -911,6 +911,7 @@
# Kludge to allow the specific tag that's in the options.html template.
'<link(?! rel="SHORTCUT ICON" href="<mm-favicon>">)',
'<meta',
+ '<object',
'<script',
r'(?:^|\W)j(?:ava)?script(?:\W|$)',
r'(?:^|\W)vbs(?:cript)?(?:\W|$)',
xss.patch.txt.sig
Description: Binary data
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
