Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
mailman.24378
mailman-2.1.14-CVE-2016-6893.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mailman-2.1.14-CVE-2016-6893.patch of Package mailman.24378
Patch for CVE-2016-6893 This will apply with possible minor line number diffs to any Mailman >= 2.1.15 For Mailman < 2.1.15, the required Mailman/CSRFcheck.py module doesn't exist and other CSRF vulnerabilities exist in the admin UI, so upgrade is recommended. === modified file 'Mailman/Cgi/admindb.py' --- a/Mailman/Cgi/admindb.py +++ b/Mailman/Cgi/admindb.py @@ -39,6 +39,7 @@ from Mailman.ListAdmin import readMessag from Mailman.Cgi import Auth from Mailman.htmlformat import * from Mailman.Logging.Syslog import syslog +from Mailman.CSRFcheck import csrf_check EMPTYSTRING = '' NL = '\n' @@ -58,6 +59,9 @@ if mm_cfg.DISPLAY_HELD_SUMMARY_SORT_BUTT else: ssort = SSENDER +AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin, + mm_cfg.AuthListModerator) + def helds_by_skey(mlist, ssort=SSENDER): --- a/Mailman/Cgi/edithtml.py +++ b/Mailman/Cgi/edithtml.py @@ -30,9 +30,12 @@ from Mailman import Errors from Mailman.Cgi import Auth from Mailman.Logging.Syslog import syslog from Mailman import i18n +from Mailman.CSRFcheck import csrf_check _ = i18n._ +AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin) + def main(): --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -32,6 +32,7 @@ from Mailman import MemberAdaptor from Mailman import i18n from Mailman.htmlformat import * from Mailman.Logging.Syslog import syslog +from Mailman.CSRFcheck import csrf_check SLASH = '/' SETLANGUAGE = -1 @@ -46,6 +47,8 @@ except NameError: True = 1 False = 0 +AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin, + mm_cfg.AuthListModerator, mm_cfg.AuthUser) def main(): --- a/Mailman/HTMLFormatter.py +++ b/Mailman/HTMLFormatter.py @@ -28,6 +28,8 @@ from Mailman.htmlformat import * from Mailman.i18n import _ +from Mailman.CSRFcheck import csrf_token + EMPTYSTRING = '' BR = '<br>' @@ -314,12 +316,17 @@ class HTMLFormatter: container.AddItem("</center>") return container - def FormatFormStart(self, name, extra=''): + def FormatFormStart(self, name, extra='', + mlist=None, contexts=None, user=None): base_url = self.GetScriptURL(name) if extra: full_url = "%s/%s" % (base_url, extra) else: full_url = base_url + if mlist: + return ("""<form method="POST" action="%s"> +<input type="hidden" name="csrf_token" value="%s">""" + % (full_url, csrf_token(mlist, contexts, user))) return ('<FORM Method=POST ACTION="%s">' % full_url) def FormatArchiveAnchor(self): --- a/Mailman/htmlformat.py +++ b/Mailman/htmlformat.py @@ -405,13 +405,14 @@ class Center(StdContainer): class Form(Container): def __init__(self, action='', method='POST', encoding=None, - mlist=None, contexts=None, *items): + mlist=None, contexts=None, user=None, *items): apply(Container.__init__, (self,) + items) self.action = action self.method = method self.encoding = encoding self.mlist = mlist self.contexts = contexts + self.user = user def set_action(self, action): self.action = action @@ -426,7 +427,7 @@ class Form(Container): if self.mlist: output = output + \ '<input type="hidden" name="csrf_token" value="%s">\n' \ - % csrf_token(self.mlist, self.contexts) + % csrf_token(self.mlist, self.contexts, self.user) output = output + Container.Format(self, indent+2) output = '%s\n%s</FORM>\n' % (output, spaces) return output
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor