Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
mailman.15639
mailman-2.1.11-CVE-2015-2775.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mailman-2.1.11-CVE-2015-2775.patch of Package mailman.15639
=== modified file 'Mailman/Defaults.py.in' --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -118,7 +118,7 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/l # A Python regular expression character class which defines the characters # allowed in list names. Lists cannot be created with names containing any -# character that doesn't match this class. +# character that doesn't match this class. Do not include '/' in this list. ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -92,6 +92,12 @@ def list_exists(listname): # # The former two are for 2.1alpha3 and beyond, while the latter two are # for all earlier versions. + # + # But first ensure the list name doesn't contain a path traversal + # attack. + if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: + syslog('mischief', 'Hostile listname: %s', listname) + return False basepath = Site.get_listpath(listname) for ext in ('.pck', '.pck.last', '.db', '.db.last'): dbfile = os.path.join(basepath, 'config' + ext)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor