Cannot edit the "User specific options page".
Bug #557937 reported by
aschwer
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The options.html template cannot be edited via the Web Admin. Interface.
Navigating:
Edit the public HTML pages and text files -> User specific options page -> Submit Changes (even if there are no changes; i.e. the default template) results in the error:
"The page you saved contains suspicious HTML that could potentially expose your users to cross-site scripting attacks. This change has therefore been rejected. If you still want to make these changes, you must have shell access to your Mailman server.
See FAQ 4.48.
Page Unchanged."
To post a comment you must log in.
1) It is only by accident I saw this report. All Mailman bugs, even for 2.1 should be reported at <https:/ /bugs.launchpad .net/mailman>. The sourceforge tracker is only available so old URLs to bug reports still work.
2) I have confirmed the issue. It is because of the line mm-favicon> ">
<link rel="SHORTCUT ICON" href="<
in the template. If you remove the 'link' tag, you can edit the rest of the template.
3) There are two ways to fix this. In general, link tags are a viable attack vector in some browsers, so I don't want to just allow them. I could just remove the offending link tag from the template, but people may like it and that wouldn't fix the problem if there were previously edited site, domain or list versions of the template in the installation.
So I have opted to fix this by exempting this specific tag with this patch:
--- Mailman/Utils.py 2008-11-13 04:02:29 +0000 mm-favicon> ">)', (?:^|\W) j(?:ava) ?script( ?:\W|$) ',
+++ Mailman/Utils.py 2008-12-05 22:36:30 +0000
@@ -905,7 +905,8 @@
# Many thanks are due to Moritz Naumann for his assistance with this.
_badwords = [
'<i?frame',
- '<link',
+ # Kludge to allow the specific tag that's in the options.html template.
+ '<link(?! rel="SHORTCUT ICON" href="<
'<meta',
'<script',
r'