Index: FAQ =================================================================== RCS file: /cvsroot/mailman/mailman/FAQ,v retrieving revision 1.18.2.2 retrieving revision 1.18.2.3 diff -u -r1.18.2.2 -r1.18.2.3 --- FAQ 2001/01/03 06:33:27 1.18.2.2 +++ FAQ 2001/11/27 22:45:22 1.18.2.3 @@ -3,6 +3,7 @@ 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA FREQUENTLY ASKED QUESTIONS +See also http://www.python.org/cgi-bin/faqw-mm.py Q. How do you spell this program? Index: NEWS =================================================================== RCS file: /cvsroot/mailman/mailman/NEWS,v retrieving revision 1.25.2.10 retrieving revision 1.25.2.11 diff -u -r1.25.2.10 -r1.25.2.11 --- NEWS 2001/11/09 21:08:18 1.25.2.10 +++ NEWS 2001/11/27 22:52:39 1.25.2.11 @@ -4,6 +4,12 @@ Here is a history of user visible changes to Mailman. +2.0.8 (27-Nov-2001) + + Security fix release to prevent cross-site scripting exploits. + See http://www.cert.org/advisories/CA-2000-02.html for a + description of the general problem (not Mailman specific). + 2.0.7 (09-Nov-2001) Security fixes: Index: Mailman/Version.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Version.py,v retrieving revision 1.20.2.7 retrieving revision 1.20.2.8 diff -u -r1.20.2.7 -r1.20.2.8 --- Mailman/Version.py 2001/11/09 20:46:05 1.20.2.7 +++ Mailman/Version.py 2001/11/27 22:47:00 1.20.2.8 @@ -15,7 +15,7 @@ # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Mailman version -VERSION = "2.0.7" +VERSION = "2.0.8" # And as a hex number in the manner of PY_VERSION_HEX ALPHA = 0xa @@ -27,7 +27,7 @@ MAJOR_REV = 2 MINOR_REV = 0 -MICRO_REV = 7 +MICRO_REV = 8 REL_LEVEL = FINAL # at most 15 beta releases! REL_SERIAL = 0 Index: Mailman/Cgi/admin.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/admin.py,v retrieving revision 1.82.2.4 retrieving revision 1.82.2.5 diff -u -r1.82.2.4 -r1.82.2.5 --- Mailman/Cgi/admin.py 2001/11/06 04:42:33 1.82.2.4 +++ Mailman/Cgi/admin.py 2001/11/27 20:23:53 1.82.2.5 @@ -67,7 +67,9 @@ try: mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: - FormatAdminOverview('No such list %s' % listname) + # Avoid cross-site scripting attack + safelistname = cgi.escape(listname) + FormatAdminOverview('No such list %s' % safelistname) syslog('error', 'Someone tried to access the admin interface for a ' 'non-existent list: %s' % listname) return Index: Mailman/Cgi/admindb.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/admindb.py,v retrieving revision 1.36.2.4 retrieving revision 1.36.2.5 diff -u -r1.36.2.4 -r1.36.2.5 --- Mailman/Cgi/admindb.py 2001/05/04 15:54:23 1.36.2.4 +++ Mailman/Cgi/admindb.py 2001/11/27 20:23:53 1.36.2.5 @@ -66,7 +66,9 @@ try: mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: - handle_no_list(doc, 'No such list %s

' % listname) + # Avoid cross-site scripting attack + safelistname = cgi.escape(listname) + handle_no_list(doc, 'No such list %s

' % safelistname) syslog('error', 'No such list "%s": %s\n' % (listname, e)) return # Index: Mailman/Cgi/edithtml.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/edithtml.py,v retrieving revision 1.12 retrieving revision 1.12.2.1 diff -u -r1.12 -r1.12.2.1 --- Mailman/Cgi/edithtml.py 2000/09/29 00:05:05 1.12 +++ Mailman/Cgi/edithtml.py 2001/11/27 20:23:53 1.12.2.1 @@ -1,4 +1,4 @@ -# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -49,7 +49,9 @@ try: mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: - doc.AddItem(Header(2, 'No such list %s' % listname)) + # Avoid cross-site scripting attack + safelistname = cgi.escape(listname) + doc.AddItem(Header(2, 'No such list %s' % safelistname)) print doc.Format(bgcolor='#ffffff') syslog('error', 'No such list "%s": %s\n' % (listname, e)) return @@ -74,8 +76,10 @@ (mlist.real_name, template_info)) break else: + # Avoid cross-site scripting attack + safetmplname = cgi.escape(template_name) doc.SetTitle('Edit HTML : Error') - doc.AddItem(Header(2, "%s: Invalid template" % template_name)) + doc.AddItem(Header(2, "%s: Invalid template" % safetmplname)) doc.AddItem(mlist.GetMailmanFooter()) print doc.Format(bgcolor='#ffffff') return Index: Mailman/Cgi/handle_opts.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/Attic/handle_opts.py,v retrieving revision 1.30.2.3 retrieving revision 1.30.2.4 diff -u -r1.30.2.3 -r1.30.2.4 --- Mailman/Cgi/handle_opts.py 2001/07/10 14:52:32 1.30.2.3 +++ Mailman/Cgi/handle_opts.py 2001/11/27 20:23:53 1.30.2.4 @@ -33,8 +33,9 @@ def PrintResults(mlist, operation, doc, results, user=None): if user: + # Avoid cross-site scripting attack url = '%s/%s' % (mlist.GetScriptURL('options'), - Utils.ObscureEmail(user)) + Utils.ObscureEmail(cgi.escape(user))) results = results + '

Continue to ' + \ Link(url, 'edit your personal options').Format() + \ '.' @@ -64,8 +65,10 @@ try: mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: + # Avoid cross-site scripting attack + safelistname = cgi.escape(listname) doc.AddItem(Header(2, "Error")) - doc.AddItem(Bold('No such list %s' % listname)) + doc.AddItem(Bold('No such list %s' % safelistname)) print doc.Format(bgcolor="#ffffff") syslog('error', 'No such list "%s": %s\n' % (listname, e)) return @@ -106,7 +109,9 @@ if not Utils.FindMatchingAddresses(user, mlist.members, mlist.digest_members): - PrintResults(mlist, operation, doc, "%s not a member!

" % user) + # Avoid cross-site scripting attack + safeuser = cgi.escape(user) + PrintResults(mlist, operation, doc, "%s not a member!

" % safeuser) if form.has_key("unsub"): operation = "Unsubscribe" Index: Mailman/Cgi/listinfo.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/listinfo.py,v retrieving revision 1.21 retrieving revision 1.21.2.1 diff -u -r1.21 -r1.21.2.1 --- Mailman/Cgi/listinfo.py 2000/09/29 00:05:05 1.21 +++ Mailman/Cgi/listinfo.py 2001/11/27 20:23:53 1.21.2.1 @@ -1,4 +1,4 @@ -# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -20,6 +20,7 @@ # No lock needed in this script, because we don't change data. import os +import cgi import string from Mailman import mm_cfg @@ -41,7 +42,9 @@ try: mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: - FormatListinfoOverview('No such list %s' % listname) + # Avoid cross-site scripting attack + safelistname = cgi.escape(listname) + FormatListinfoOverview('No such list %s' % safelistname) syslog('error', 'listinfo: no such list "%s": %s' % (listname, e)) return Index: Mailman/Cgi/options.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/options.py,v retrieving revision 1.18 retrieving revision 1.18.2.1 diff -u -r1.18 -r1.18.2.1 --- Mailman/Cgi/options.py 2000/09/29 00:05:05 1.18 +++ Mailman/Cgi/options.py 2001/11/27 20:23:54 1.18.2.1 @@ -1,4 +1,4 @@ -# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -27,6 +27,7 @@ import os import string +import cgi from Mailman import mm_cfg from Mailman import Utils @@ -53,8 +54,10 @@ try: mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: + # Avoid cross-site scripting attacks + safelistname = cgi.escape(listname) doc.AddItem(Header(2, "Error")) - doc.AddItem(Bold('No such list %s' % listname)) + doc.AddItem(Bold('No such list %s' % safelistname)) print doc.Format() syslog('error', 'No such list "%s": %s\n' % (listname, e)) return @@ -63,9 +66,10 @@ user = Utils.LCDomain(user) if not mlist.members.has_key(user) and \ not mlist.digest_members.has_key(user): - # then + # Avoid cross-site scripting attacks + safeuser = cgi.escape(user) doc.AddItem(Header(2, "Error")) - doc.AddItem(Bold("%s: No such member %s." % (listname, `user`))) + doc.AddItem(Bold("%s: No such member %s." % (listname, safeuser))) doc.AddItem(mlist.GetMailmanFooter()) print doc.Format() return Index: Mailman/Cgi/private.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v retrieving revision 1.23 retrieving revision 1.23.2.1 diff -u -r1.23 -r1.23.2.1 --- Mailman/Cgi/private.py 2000/10/02 20:52:35 1.23 +++ Mailman/Cgi/private.py 2001/11/27 20:23:54 1.23.2.1 @@ -1,4 +1,4 @@ -# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -130,7 +130,9 @@ mlist = MailList.MailList(listname, lock=0) mlist.IsListInitialized() except Errors.MMListError, e: - msg = 'No such list %s' % listname + # Avoid cross-site scripting attacks + safelistname = cgi.escape(listname) + msg = 'No such list %s' % safelistname doc.SetTitle("Private Archive Error - %s" % msg) doc.AddItem(Header(2, msg)) print doc.Format(bgcolor="#FFFFFF") @@ -190,10 +192,13 @@ else: f = open(true_filename, 'r') except IOError: + # Avoid cross-site scripting attacks + safetruefilename = cgi.escape(true_filename) + safepath = cgi.escape(path) print 'Content-type: text/html\n' print "

Archive File Not Found

" - print "No file", path, '(%s)' % true_filename + print "No file", safepath, '(%s)' % safetruefilename else: print 'Content-type: %s\n' % ctype sys.stdout.write(f.read()) Index: Mailman/Cgi/roster.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/roster.py,v retrieving revision 1.11 retrieving revision 1.11.2.1 diff -u -r1.11 -r1.11.2.1 --- Mailman/Cgi/roster.py 2000/09/29 00:05:05 1.11 +++ Mailman/Cgi/roster.py 2001/11/27 20:23:54 1.11.2.1 @@ -1,4 +1,4 @@ -# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -47,7 +47,9 @@ try: mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: - error_page('No such list %s' % listname) + # Avoid cross-site scripting attacks + safelistname = cgi.escape(listname) + error_page('No such list %s' % safelistname) syslog('error', 'roster: no such list "%s": %s' % (listname, e)) return Index: Mailman/Cgi/subscribe.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/subscribe.py,v retrieving revision 1.29.2.1 retrieving revision 1.29.2.2 diff -u -r1.29.2.1 -r1.29.2.2 --- Mailman/Cgi/subscribe.py 2001/05/03 21:05:43 1.29.2.1 +++ Mailman/Cgi/subscribe.py 2001/11/27 20:23:54 1.29.2.2 @@ -44,8 +44,10 @@ try: mlist = MailList.MailList(listname, lock=0) except Errors.MMListError, e: + # Avoid cross-site scripting attacks + safelistname = cgi.escape(listname) doc.AddItem(Header(2, "Error")) - doc.AddItem(Bold('No such list %s' % listname)) + doc.AddItem(Bold('No such list %s' % safelistname)) print doc.Format(bgcolor="#ffffff") syslog('error', 'No such list "%s": %s\n' % (listname, e)) return Index: admin/bin/faq2ht.py =================================================================== RCS file: /cvsroot/mailman/mailman/admin/bin/faq2ht.py,v retrieving revision 1.1 retrieving revision 1.1.2.1 diff -u -r1.1 -r1.1.2.1 --- admin/bin/faq2ht.py 2000/11/08 18:46:43 1.1 +++ admin/bin/faq2ht.py 2001/11/27 22:47:50 1.1.2.1 @@ -45,6 +45,7 @@ question = [] answer = [] faq = [] + inquestion = 0 while 1: line = lines[lineno][:-1] Index: admin/www/admins.html =================================================================== RCS file: /cvsroot/mailman/mailman/admin/www/admins.html,v retrieving revision 1.4.2.1 retrieving revision 1.4.2.2 diff -u -r1.4.2.1 -r1.4.2.2 --- admin/www/admins.html 2001/01/05 16:23:07 1.4.2.1 +++ admin/www/admins.html 2001/11/27 22:27:41 1.4.2.2 @@ -1,8 +1,8 @@ - - - + + + - - - + + + - - - + + + 2.0.7, +(2.0.8, released on -Nov 9 2001) +Nov 27 2001) is the current GNU release. It is available from the following mirror sites: