Re: [Mailman-Users] Mailman Security Patch Announcement

2011-02-18 Thread Mark Sapiro 
On 2/18/2011 8:01 AM, Mark Sapiro wrote:
> 
> The patch is attached as confirm_xss.patch.txt.
> 

This list's content filtering stripped the patch's signature part. For
those who would want to verify the signature, I am resending the patch
here as a PGP MIME format message which should pass content filtering.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py  2010-03-29 20:48:11 +
+++ Mailman/Cgi/confirm.py  2011-02-12 02:24:47 +
@@ -471,7 +471,7 @@
 if fullname is None:
 fullname = _('Not available')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 table.AddRow([_("""Your confirmation is required in order to complete the
 unsubscription request from the mailing list %(listname)s.  You
 are currently subscribed with
@@ -573,7 +573,7 @@
 if fullname is None:
 fullname = _('Not available')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 if globally:
 globallys = _('globally')
 else:
@@ -814,7 +814,7 @@
 if username is None:
 username = _('not available')
 else:
-username = Utils.uncanonstr(username, lang)
+username = Utils.websafe(Utils.uncanonstr(username, lang))
 
 table.AddRow([_("""Your membership in the %(realname)s mailing list is
 currently disabled due to excessive bounces.  Your confirmation is



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Security Patch Announcement

2011-02-18 Thread Mark Sapiro 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2/13/2011 1:58 PM, Mark Sapiro wrote:
> An XXS vulnerability affecting Mailman 2.1.14 and prior versions has
> recently been discovered. A patch has been developed to address this
> issue. The patch is small, affects only one module and can be applied to
> a live installation without requiring a restart.
> 
> In order to accommodate those who need some notice before applying such
> a patch, the patch will be posted on Friday, 18 February at about 16:00
> GMT to the same four lists to which this announcement is addressed.


The vulnerability has been assigned CVE-2011-0707.

The patch is attached as confirm_xss.patch.txt.

- -- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFNXpf1VVuXXpU7hpMRAs1nAJ97r3VEu5b5jl4JhdNv3r6x+ElqjQCghU+w
Gp0hqWatECAYyAIL7IH9dGk=
=8U6M
-END PGP SIGNATURE-
=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py  2010-03-29 20:48:11 +
+++ Mailman/Cgi/confirm.py  2011-02-12 02:24:47 +
@@ -471,7 +471,7 @@
 if fullname is None:
 fullname = _('Not available')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 table.AddRow([_("""Your confirmation is required in order to complete the
 unsubscription request from the mailing list %(listname)s.  You
 are currently subscribed with
@@ -573,7 +573,7 @@
 if fullname is None:
 fullname = _('Not available')
 else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
 if globally:
 globallys = _('globally')
 else:
@@ -814,7 +814,7 @@
 if username is None:
 username = _('not available')
 else:
-username = Utils.uncanonstr(username, lang)
+username = Utils.websafe(Utils.uncanonstr(username, lang))
 
 table.AddRow([_("""Your membership in the %(realname)s mailing list is
 currently disabled due to excessive bounces.  Your confirmation is

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org