Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
mailman.15639
mailman-2.1.15-CVE-2018-13796.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mailman-2.1.15-CVE-2018-13796.patch of Package mailman.15639
=== modified file 'Mailman/Utils.py' --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -245,10 +245,25 @@ CRNLpat = re.compile(r'[^\x21-\x7e]') def GetPathPieces(envar='PATH_INFO'): path = os.environ.get(envar) if path: + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) if CRNLpat.search(path): path = CRNLpat.split(path)[0] syslog('error', 'Warning: Possible malformed path attack.') - return [p for p in path.split('/') if p] + # Check for listname injections that won't be websafed. + pieces = [p for p in path.split('/') if p] + # Get the longest listname or 20 if none. + if list_names(): + longest = max([len(x) for x in list_names()]) + else: + longest = 20 + if pieces and len(pieces[0]) > longest: + syslog('mischief', + 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) + pieces[0] = pieces[0][:longest] + '...' + return pieces return None
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor