MFH: r475623
- Rename patches * extra-patch-Mailman-Cgi-private.py to extra-patch-Mailman_Cgi_private.py * patch-CVE-2015-2775 to patch-Mailman_Utils.py * patch-CVE-2018-5950 to patch-Mailman_Cgi_options.py - Apply CVE-2018-0618 patches [1] PR: 229351 [1] Submitted by: Yasuhito FUTATSUKI Security: CVE-2018-0618 Approved by: ports-secteam (miwi@)
This commit is contained in:
parent
78c981b501
commit
50c11a3131
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/branches/2018Q3/; revision=475861
|
@ -3,7 +3,7 @@
|
|||
|
||||
PORTNAME= mailman
|
||||
PORTVERSION= 2.1.14.j7
|
||||
PORTREVISION= 4
|
||||
PORTREVISION= 5
|
||||
PORTEPOCH= 1
|
||||
CATEGORIES= japanese mail
|
||||
MASTER_SITES= https://docs.python.jp/contrib/mailman/_static/ \
|
||||
|
@ -105,7 +105,7 @@ MAIL_GID?= courier
|
|||
|
||||
.if ${PORT_OPTIONS:MNAMAZU2}
|
||||
RUN_DEPENDS+= mknmz:japanese/namazu2
|
||||
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Mailman-Cgi-private.py
|
||||
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Mailman_Cgi_private.py
|
||||
.endif
|
||||
|
||||
pre-everything::
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
--- Mailman/Utils.py.orig 2011-12-11 07:56:23 UTC
|
||||
+++ Mailman/Utils.py
|
||||
@@ -93,6 +93,12 @@ def list_exists(listname):
|
||||
#
|
||||
# The former two are for 2.1alpha3 and beyond, while the latter two are
|
||||
# for all earlier versions.
|
||||
+ #
|
||||
+ # But first ensure the list name doesn't contain a path traversal
|
||||
+ # attack.
|
||||
+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
|
||||
+ syslog('mischief', 'Hostile listname: %s', listname)
|
||||
+ return False
|
||||
basepath = Site.get_listpath(listname)
|
||||
for ext in ('.pck', '.pck.last', '.db', '.db.last'):
|
||||
dbfile = os.path.join(basepath, 'config' + ext)
|
11
japanese/mailman/files/patch-Mailman_Cgi_admin.py
Normal file
11
japanese/mailman/files/patch-Mailman_Cgi_admin.py
Normal file
|
@ -0,0 +1,11 @@
|
|||
--- Mailman/Cgi/admin.py.orig 2011-12-11 07:56:23 UTC
|
||||
+++ Mailman/Cgi/admin.py
|
||||
@@ -266,7 +266,7 @@ def admin_overview(msg=''):
|
||||
else:
|
||||
advertised.append((mlist.GetScriptURL('admin'),
|
||||
mlist.real_name,
|
||||
- mlist.description))
|
||||
+ Utils.websafe(mlist.description)))
|
||||
# Greeting depends on whether there was an error or not
|
||||
if msg:
|
||||
greeting = FontAttr(msg, color="ff5060", size="+1")
|
23
japanese/mailman/files/patch-Mailman_Gui_General.py
Normal file
23
japanese/mailman/files/patch-Mailman_Gui_General.py
Normal file
|
@ -0,0 +1,23 @@
|
|||
--- Mailman/Gui/General.py.orig 2011-12-11 07:56:23 UTC
|
||||
+++ Mailman/Gui/General.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-# Copyright (C) 2001-2011 by the Free Software Foundation, Inc.
|
||||
+# Copyright (C) 2001-2018 by the Free Software Foundation, Inc.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
@@ -493,6 +493,14 @@ mlist.info.
|
||||
or not isinstance(val, IntType)):
|
||||
doc.addError(_("""<b>admin_member_chunksize</b> attribute not
|
||||
changed! It must be an integer > 0."""))
|
||||
+ elif property == 'host_name':
|
||||
+ try:
|
||||
+ Utils.ValidateEmail('user@' + val)
|
||||
+ except Errors.EmailAddressError:
|
||||
+ doc.addError(_("""<b>host_name</b> attribute not changed!
|
||||
+ It must be a valid domain name."""))
|
||||
+ else:
|
||||
+ GUIBase._setValue(self, mlist, property, val, doc)
|
||||
else:
|
||||
GUIBase._setValue(self, mlist, property, val, doc)
|
||||
|
117
japanese/mailman/files/patch-Mailman_Utils.py
Normal file
117
japanese/mailman/files/patch-Mailman_Utils.py
Normal file
|
@ -0,0 +1,117 @@
|
|||
--- Mailman/Utils.py.orig 2011-12-11 07:56:23 UTC
|
||||
+++ Mailman/Utils.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
|
||||
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
@@ -93,6 +93,12 @@ def list_exists(listname):
|
||||
#
|
||||
# The former two are for 2.1alpha3 and beyond, while the latter two are
|
||||
# for all earlier versions.
|
||||
+ #
|
||||
+ # But first ensure the list name doesn't contain a path traversal
|
||||
+ # attack.
|
||||
+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
|
||||
+ syslog('mischief', 'Hostile listname: %s', listname)
|
||||
+ return False
|
||||
basepath = Site.get_listpath(listname)
|
||||
for ext in ('.pck', '.pck.last', '.db', '.db.last'):
|
||||
dbfile = os.path.join(basepath, 'config' + ext)
|
||||
@@ -952,6 +958,7 @@ _badwords = [
|
||||
'<meta',
|
||||
'<object',
|
||||
'<script',
|
||||
+ '@keyframes',
|
||||
r'\bj(?:ava)?script\b',
|
||||
r'\bvbs(?:cript)?\b',
|
||||
r'\bdomactivate\b',
|
||||
@@ -968,12 +975,14 @@ _badwords = [
|
||||
r'\bon(?:de)?activate\b',
|
||||
r'\bon(?:after|before)print\b',
|
||||
r'\bon(?:after|before)update\b',
|
||||
+ r'\b(?:on)?animation(?:end|iteration|start)\b',
|
||||
r'\bonbefore(?:(?:de)?activate|copy|cut|editfocus|paste)\b',
|
||||
r'\bonbeforeunload\b',
|
||||
r'\bonbegin\b',
|
||||
r'\bonblur\b',
|
||||
r'\bonbounce\b',
|
||||
r'\bonbroadcast\b',
|
||||
+ r'\boncanplay(?:through)?\b',
|
||||
r'\bon(?:cell)?change\b',
|
||||
r'\boncheckboxstatechange\b',
|
||||
r'\bon(?:dbl)?click\b',
|
||||
@@ -989,7 +998,9 @@ _badwords = [
|
||||
r'\bondrag(?:drop|end|enter|exit|gesture|leave|over)?\b',
|
||||
r'\bondragstart\b',
|
||||
r'\bondrop\b',
|
||||
- r'\bonend\b',
|
||||
+ r'\bondurationchange\b',
|
||||
+ r'\bonemptied\b',
|
||||
+ r'\bonend(?:ed)?\b',
|
||||
r'\bonerror(?:update)?\b',
|
||||
r'\bonfilterchange\b',
|
||||
r'\bonfinish\b',
|
||||
@@ -999,21 +1010,28 @@ _badwords = [
|
||||
r'\bonkey(?:up|down|press)\b',
|
||||
r'\bonlayoutcomplete\b',
|
||||
r'\bon(?:un)?load\b',
|
||||
+ r'\bonloaded(?:meta)?data\b',
|
||||
+ r'\bonloadstart\b',
|
||||
r'\bonlosecapture\b',
|
||||
r'\bonmedia(?:complete|error)\b',
|
||||
+ r'\bonmessage\b',
|
||||
r'\bonmouse(?:down|enter|leave|move|out|over|up|wheel)\b',
|
||||
r'\bonmove(?:end|start)?\b',
|
||||
r'\bon(?:off|on)line\b',
|
||||
+ r'\bonopen\b',
|
||||
r'\bonoutofsync\b',
|
||||
r'\bonoverflow(?:changed)?\b',
|
||||
r'\bonpage(?:hide|show)\b',
|
||||
r'\bonpaint\b',
|
||||
r'\bonpaste\b',
|
||||
r'\bonpause\b',
|
||||
+ r'\bonplay(?:ing)?\b',
|
||||
+ r'\bonpopstate\b',
|
||||
r'\bonpopup(?:hidden|hiding|showing|shown)\b',
|
||||
r'\bonprogress\b',
|
||||
r'\bonpropertychange\b',
|
||||
r'\bonradiostatechange\b',
|
||||
+ r'\bonratechange\b',
|
||||
r'\bonreadystatechange\b',
|
||||
r'\bonrepeat\b',
|
||||
r'\bonreset\b',
|
||||
@@ -1023,19 +1041,30 @@ _badwords = [
|
||||
r'\bonrow(?:delete|enter|exit|inserted)\b',
|
||||
r'\bonrows(?:delete|enter|inserted)\b',
|
||||
r'\bonscroll\b',
|
||||
- r'\bonseek\b',
|
||||
+ r'\bonsearch\b',
|
||||
+ r'\bonseek(?:ed|ing)?\b',
|
||||
r'\bonselect(?:start)?\b',
|
||||
r'\bonselectionchange\b',
|
||||
+ r'\bonshow\b',
|
||||
r'\bonstart\b',
|
||||
+ r'\bonstalled\b',
|
||||
r'\bonstop\b',
|
||||
+ r'\bonstorage\b',
|
||||
r'\bonsubmit\b',
|
||||
+ r'\bonsuspend\b',
|
||||
r'\bonsync(?:from|to)preference\b',
|
||||
r'\bonsyncrestored\b',
|
||||
r'\bontext\b',
|
||||
- r'\bontimeerror\b',
|
||||
+ r'\bontime(?:error|update)\b',
|
||||
+ r'\bontoggle\b',
|
||||
+ r'\bontouch(?:cancel|end|move|start)\b',
|
||||
r'\bontrackchange\b',
|
||||
+ r'\b(?:on)?transitionend\b',
|
||||
r'\bonunderflow\b',
|
||||
r'\bonurlflip\b',
|
||||
+ r'\bonvolumechange\b',
|
||||
+ r'\bonwaiting\b',
|
||||
+ r'\bonwheel\b',
|
||||
r'\bseeksegmenttime\b',
|
||||
r'\bsvgabort\b',
|
||||
r'\bsvgerror\b',
|
Loading…
Reference in New Issue
Block a user