rpms/mailman/FC-2 mailman-2.1-CAN-2004-1177.patch, NONE, 1.1 mailman.spec, 1.20, 1.21

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Mon Mar 21 20:05:22 UTC 2005 

Update of /cvs/dist/rpms/mailman/FC-2
In directory cvs.devel.redhat.com:/tmp/cvs-serv9401

Modified Files:
	mailman.spec 
Added Files:
	mailman-2.1-CAN-2004-1177.patch 
Log Message:
fix bug 147833, CAN-2004-1177


mailman-2.1-CAN-2004-1177.patch:
 driver |   28 +++++++++++++++++++++++-----
 1 files changed, 23 insertions(+), 5 deletions(-)

--- NEW FILE mailman-2.1-CAN-2004-1177.patch ---
--- mailman-2.1.5.orig/scripts/driver	2003-04-20 00:52:55.000000000 -0400
+++ /usr/src/local/mailman/mailman/scripts/driver	2004-12-27 19:38:22.000000000 -0500
@@ -1,6 +1,6 @@
 # -*- python -*-
 
-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2004 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -28,7 +28,11 @@
 # comfortable with.  By setting STEALTH_MODE to 1, you disable the printing of
 # this information to the web pages.  This information is still, and always,
 # printed in the error logs.
-STEALTH_MODE = 0
+STEALTH_MODE = 1
+
+# This will be set to the entity escaper.
+def websafe(s):
+    return s
 
 
 
@@ -53,12 +57,22 @@
 
 
 def run_main():
+    global STEALTH_MODE, websafe
+
     # These will ensure that even if something between now and the
     # creation of the real logger below fails, we can still get
     # *something* meaningful.
     logger = None
     try:
         import paths
+        # When running in non-stealth mode, we need to escape entities,
+        # otherwise we're vulnerable to cross-site scripting attacks.
+        try:
+            if not STEALTH_MODE:
+                from Mailman.Utils import websafe
+        except:
+            STEALTH_MODE = 1
+            raise
         # Map stderr to a logger, if possible.
         from Mailman.Logging.StampedLogger import StampedLogger
         logger = StampedLogger('error',
@@ -140,11 +154,13 @@
 a description of what happened.  Thanks!
 
 <h4>Traceback:</h4><p><pre>'''
+        exc_info = sys.exc_info()
         if traceback:
-            traceback.print_exc(file=sys.stdout)
+            for line in traceback.format_exception(*exc_info):
+                print websafe(line),
         else:
             print '[failed to import module traceback]'
-            print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
+            print '[exc: %s, var: %s]' % [websafe(x) for x in exc_info[0:2]]
         print '\n\n</pre></body>'
     else:
         print '''<p>Please inform the webmaster for this site of this
@@ -212,7 +228,9 @@
 '''
         if os:
             for k, v in os.environ.items():
-                print '<tr><td><tt>', k, '</tt></td><td>', v, '</td></tr>'
+                print '<tr><td><tt>', websafe(k), \
+                      '</tt></td><td>', websafe(v), \
+                      '</td></tr>'
             print '</table>'
         else:
             print '<p><hr>[failed to import module os]'


Index: mailman.spec
===================================================================
RCS file: /cvs/dist/rpms/mailman/FC-2/mailman.spec,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- mailman.spec	14 Feb 2005 16:39:36 -0000	1.20
+++ mailman.spec	21 Mar 2005 20:05:18 -0000	1.21
@@ -42,7 +42,7 @@
 Summary: Mailing list manager with built in Web access.
 Name: mailman
 Version: 2.1.5
-Release: 9.fc2
+Release: 10.fc2
 Epoch: 3
 Group: Applications/Internet
 Source0: ftp://ftp.gnu.org/pub/gnu/mailman/mailman-%{version}.tgz
@@ -58,6 +58,7 @@
 Patch3: mailman-2.1-mailmanctl-status.patch
 Patch4: mailman-2.1-CAN-2005-0202.patch
 Patch5: mailman-2.1.5-moderator-request.patch
+Patch6: mailman-2.1-CAN-2004-1177.patch
 License: GPL
 URL: http://www.list.org/
 BuildRoot: %{_tmppath}/%{name}-root
@@ -88,6 +89,7 @@
 %patch3 -p1 -b .status
 %patch4 -p1 -b .CAN-2005-0202
 %patch5 -p0 -b .moderator-request
+%patch6 -p1 -b .CAN-2004-1177
 
 cp $RPM_SOURCE_DIR/mailman-README.REDHAT README.REDHAT
 cp $RPM_SOURCE_DIR/mailman.INSTALL.REDHAT.in INSTALL.REDHAT.in
@@ -334,6 +336,9 @@
 %attr(0755 root root) /etc/rc.d/init.d/mailman
 
 %changelog
+* Mon Mar 21 2005 John Dennis <jdennis at redhat.com> - 3:2.1.5-10.fc2
+- fix bug #147833, CAN-2004-1177
+
 * Mon Feb 14 2005 John Dennis <jdennis at redhat.com> - 3:2.1.5-9.fc2
 - fix bug #147856, moderator -1 admin requests pending

More information about the fedora-cvs-commits mailing list