cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0b0a3a8533
openbsd-ports/mail/mailman/patches/patch-scripts_driver
brad 927db06948 Florian Weimer has discovered a cross-site scripting vulnerability in 
the error messages that are produced by Mailman.

CAN-2004-1177
2005-01-26 05:28:53 +00:00

69 lines
2.5 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

$OpenBSD: patch-scripts_driver,v 1.1 2005/01/26 05:28:53 brad Exp $
--- scripts/driver.orig Wed Jan 26 00:16:53 2005
+++ scripts/driver Wed Jan 26 00:20:53 2005
@@ -28,9 +28,13 @@ import sys
# comfortable with. By setting STEALTH_MODE to 1, you disable the printing of
# this information to the web pages. This information is still, and always,
# printed in the error logs.
-STEALTH_MODE = 0
+STEALTH_MODE = 1
+# This will be set to the entity escaper.
+def websafe(s):
+ return s
+
# This standard driver script is used to run CGI programs, wrapped in code
# that catches errors, and displays them as HTML. This guarantees that
@@ -53,12 +57,22 @@ STEALTH_MODE = 0
def run_main():
+ global STEALTH_MODE, websafe
+
# These will ensure that even if something between now and the
# creation of the real logger below fails, we can still get
# *something* meaningful.
logger = None
try:
import paths
+ # When running in non-stealth mode, we need to escape entities,
+ # otherwise we're vulnerable to cross-site scripting attacks.
+ try:
+ if not STEALTH_MODE:
+ from Mailman.Utils import websafe
+ except:
+ STEALTH_MODE = 1
+ raise
# Map stderr to a logger, if possible.
from Mailman.Logging.StampedLogger import StampedLogger
logger = StampedLogger('error',
@@ -140,11 +154,13 @@ please email a copy of this page to the
a description of what happened. Thanks!
<h4>Traceback:</h4><p><pre>'''
+ exc_info = sys.exc_info()
if traceback:
- traceback.print_exc(file=sys.stdout)
+ for line in traceback.format_exception(*exc_info):
+ print websafe(line),
else:
print '[failed to import module traceback]'
- print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
+ print '[exc: %s, var: %s]' % [websafe(x) for x in exc_info[0:2]]
print '\n\n</pre></body>'
else:
print '''<p>Please inform the webmaster for this site of this
@@ -212,7 +228,9 @@ def print_environment(logfp=None):
'''
if os:
for k, v in os.environ.items():
- print '<tr><td><tt>', k, '</tt></td><td>', v, '</td></tr>'
+ print '<tr><td><tt>', websafe(k), \
+ '</tt></td><td>', websafe(v), \
+ '</td></tr>'
print '</table>'
else:
print '<p><hr>[failed to import module os]'
Reference in New Issue View Git Blame Copy Permalink