From bb0383b9174e1afb5939928539bfd9c20c8829f2 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Wed, 15 Mar 2017 20:39:27 -0700 Subject: Treat message and digest headers and footers as empty if they contain only whitespace. --- Mailman/Handlers/Decorate.py | 8 ++++++-- Mailman/Handlers/ToDigest.py | 10 +++++----- 2 files changed, 11 insertions(+), 7 deletions(-) (limited to 'Mailman') diff --git a/Mailman/Handlers/Decorate.py b/Mailman/Handlers/Decorate.py index de8b44e6..d1c8c5b4 100644 --- a/Mailman/Handlers/Decorate.py +++ b/Mailman/Handlers/Decorate.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2008 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2017 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -210,7 +210,11 @@ def process(mlist, msg, msgdata): def decorate(mlist, template, what, extradict=None): # `what' is just a descriptive phrase used in the log message - # + + # If template is only whitespace, ignore it. + if len(re.sub('\s', '', template)) == 0: + return '' + # BAW: We've found too many situations where Python can be fooled into # interpolating too much revealing data into a format string. For # example, a footer of "% silly %(real_name)s" would give a header diff --git a/Mailman/Handlers/ToDigest.py b/Mailman/Handlers/ToDigest.py index 02965f82..046cbaba 100644 --- a/Mailman/Handlers/ToDigest.py +++ b/Mailman/Handlers/ToDigest.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2016 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2017 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -215,8 +215,8 @@ def send_i18n_digests(mlist, mboxfp): # RFC 1153 print >> plainmsg, mastheadtxt print >> plainmsg - # Now add the optional digest header - if mlist.digest_header: + # Now add the optional digest header but only if more than whitespace. + if re.sub('\s', '', mlist.digest_header): headertxt = decorate(mlist, mlist.digest_header, _('digest header')) # MIME header = MIMEText(headertxt, _charset=lcset) @@ -365,8 +365,8 @@ def send_i18n_digests(mlist, mboxfp): print >> plainmsg, payload if not payload.endswith('\n'): print >> plainmsg - # Now add the footer - if mlist.digest_footer: + # Now add the footer but only if more than whitespace. + if re.sub('\s', '', mlist.digest_footer): footertxt = decorate(mlist, mlist.digest_footer, _('digest footer')) # MIME footer = MIMEText(footertxt, _charset=lcset) -- cgit v1.2.3 From f2d4b816b39a77c32562dc8a23b1fcd0e61cc869 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Thu, 30 Mar 2017 12:20:45 -0700 Subject: Fixed unexploitable XSS attach via crafted HTTP Host: header. --- Mailman/Utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Mailman') diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 7bae2e6e..739def1d 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -759,7 +759,7 @@ def get_domain(): if port and host.endswith(':' + port): host = host[:-len(port)-1] if mm_cfg.VIRTUAL_HOST_OVERVIEW and host: - return host.lower() + return websafe(host.lower()) else: # See the note in Defaults.py concerning DEFAULT_URL # vs. DEFAULT_URL_HOST. -- cgit v1.2.3 From 4657d9ae7b6c0b696ae2557a89469ac7f29c9289 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Tue, 25 Apr 2017 15:06:49 -0700 Subject: Change 'subscribees' to 'subscribers' on admin mass subscribe page. Update i18n. --- Mailman/Cgi/admin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Mailman') diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py index 736cc684..41875533 100644 --- a/Mailman/Cgi/admin.py +++ b/Mailman/Cgi/admin.py @@ -1215,7 +1215,7 @@ def mass_subscribe(mlist, container): table.AddCellInfo(table.GetCurrentRowIndex(), 0, bgcolor=GREY) table.AddCellInfo(table.GetCurrentRowIndex(), 1, bgcolor=GREY) table.AddRow([ - Label(_('Send welcome messages to new subscribees?')), + Label(_('Send welcome messages to new subscribers?')), RadioButtonArray('send_welcome_msg_to_this_batch', (_('No'), _('Yes')), mlist.send_welcome_msg, -- cgit v1.2.3