Attachment 195437 Details for Bug 229351 – patch to fix CVE-2018-13796

[patch] patch to fix CVE-2018-13796

patch-CVE-2018-13796 (text/plain), 1.37 KB, created by Yasuhito FUTATSUKI on 2018-07-25 03:52:18 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Yasuhito FUTATSUKI

Created: 2018-07-25 03:52:18 UTC

Size: 1.37 KB

patch

obsolete

>--- Mailman/Utils.py.orig	2018-07-23 23:47:28.192867000 +0900
>+++ Mailman/Utils.py	2018-07-23 23:54:02.077518000 +0900
>@@ -252,10 +252,28 @@ CRNLpat = re.compile(r'[^\x21-\x7e]')
> def GetPathPieces(envar='PATH_INFO'):
>     path = os.environ.get(envar)
>     if path:
>+        remote = os.environ.get('HTTP_FORWARDED_FOR',
>+                 os.environ.get('HTTP_X_FORWARDED_FOR',
>+                 os.environ.get('REMOTE_ADDR',
>+                                'unidentified origin')))
>         if CRNLpat.search(path):
>             path = CRNLpat.split(path)[0]
>-            syslog('error', 'Warning: Possible malformed path attack.')
>-        return [p for p in path.split('/') if p]
>+            syslog('error',
>+                'Warning: Possible malformed path attack domain=%s remote=%s',
>+                   get_domain(),
>+                   remote)
>+        # Check for listname injections that won't be websafed.
>+        pieces = [p for p in path.split('/') if p]
>+        # Get the longest listname or 20 if none.
>+        if list_names():
>+            longest = max([len(x) for x in list_names()])
>+        else:
>+            longest = 20
>+        if pieces and len(pieces[0]) > longest:
>+            syslog('mischief',
>+               'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
>+            pieces[0] = pieces[0][:longest] + '...'
>+        return pieces
>     return None
> 
>

Actions: View | Diff

Attachments on bug 229351: 194849 | 195390 | 195437