Certain Malformed list names throw TypeError: in roster CGI

Bug #1661810 reported by Mark Sapiro
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Mark Sapiro

Bug Description

We've seen attacks visiting URLs such as <http://example.com/mailman/roster/python-dev%2522%252dswffelqj%252d%2522>. The list name after unescaping is python-dev%22%2dswffelqj%2d%22 which websafes to the same thing.

Ultimately, this calls
    error_page(_('No such list <em>%(safelistname)s</em>'))

which in turn calls
    error_page_doc(doc, errmsg)

with the translated error message. The problem is error_page_doc is defined as

def error_page_doc(doc, errmsg, *args):

even though it is never called with any additional args. It then tries to interpolate the (empty) args into the errmsg string which in this case contains a '%' an results in

TypeError: not enough arguments for format string

The solution, since error_page_doc is never called with extra arguments is to just drop the *args and the attempted interpolation.

Related branches

Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers