GNU Mailman

SECURITY: Unsafe display of held messages

Bug #265579 reported by Lindahl
2
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Critical
Unassigned

Bug Description

In 2.0.6, I have noticed that some spam message
contents cause the /TEXTAREA tag to not get
interpreted, which means that the next bit of HTML
appears in the TEXTAREA, up until the next /TEXTAREA
tag, which is after the header of the succeeding message.

This makes me fear that javascript might get executed,
or other bad things.

If you like I can provide an example message that
triggers this. I have old lists that get lots of spam.

[http://sourceforge.net/tracker/index.php?func=detail&aid=486340&group_id=103&atid=100103]

Revision history for this message
Lindahl (lindahl) wrote :

This diff seems to cure the problem, although I'm not a
Python guy so I don't know if it's the Right Thing To Do:

[mailman@nixon Cgi]$ diff -c admindb.py? admindb.py
*** admindb.py~ Thu Nov 8 22:15:29 2001
--- admindb.py Thu Nov 29 10:51:56 2001
***************
*** 268,274 ****
      row, col = t.GetCurrentRowIndex(), t.GetCurrentCellIndex()
      t.AddCellInfo(row, col-1, align='right')
      t.AddRow([Bold('Message Excerpt:'),
! TextArea('fulltext-%d' % id, text, rows=10,
cols=80)])
      t.AddCellInfo(row+1, col-1, align='right')
      form.AddItem(t)
      form.AddItem('<p>')
--- 268,274 ----
      row, col = t.GetCurrentRowIndex(), t.GetCurrentCellIndex()
      t.AddCellInfo(row, col-1, align='right')
      t.AddRow([Bold('Message Excerpt:'),
! TextArea('fulltext-%d' % id,
cgi.escape(text), rows=10, cols=80)])
      t.AddCellInfo(row+1, col-1, align='right')
      form.AddItem(t)
      form.AddItem('<p>')

Revision history for this message
Barry Warsaw (barry) wrote :

Side note: your patch got wrapped by the tracker, so it's
always better to attach patches rather than include them in
followups.

But if I get the drift, you're just cgi.escape()'ing the
text inserted into the TEXTAREA, right? I believe that's a
good idea. I'll add this to 2.0.x (perhaps requiring a
2.0.9 release) and to 2.1.

Please do attach an example message so I can add it to my
test case.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.