Certain Malformed list names throw TypeError: in roster CGI
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Low
|
Mark Sapiro |
Bug Description
We've seen attacks visiting URLs such as <http://
Ultimately, this calls
error_
which in turn calls
error_
with the translated error message. The problem is error_page_doc is defined as
def error_page_doc(doc, errmsg, *args):
even though it is never called with any additional args. It then tries to interpolate the (empty) args into the errmsg string which in this case contains a '%' an results in
TypeError: not enough arguments for format string
The solution, since error_page_doc is never called with extra arguments is to just drop the *args and the attempted interpolation.
Related branches
Changed in mailman: | |
status: | In Progress → Fix Committed |
Changed in mailman: | |
status: | Fix Committed → Fix Released |