38 lines
1.6 KiB
Plaintext
38 lines
1.6 KiB
Plaintext
$OpenBSD: patch-Mailman_Cgi_confirm_py,v 1.1 2011/03/03 09:50:11 jasper Exp $
|
|
|
|
Security fix for CVE-2011-0707.
|
|
Mailman "Full Name" Script Insertion Vulnerabilities.
|
|
|
|
Patch from upstream announcement:
|
|
http://mail.python.org/pipermail/mailman-announce/2011-February/000158.html
|
|
|
|
--- Mailman/Cgi/confirm.py.orig Mon Sep 20 20:18:27 2010
|
|
+++ Mailman/Cgi/confirm.py Thu Mar 3 10:47:51 2011
|
|
@@ -471,7 +471,7 @@ def unsubscription_prompt(mlist, doc, cookie, addr):
|
|
if fullname is None:
|
|
fullname = _('<em>Not available</em>')
|
|
else:
|
|
- fullname = Utils.uncanonstr(fullname, lang)
|
|
+ fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
|
|
table.AddRow([_("""Your confirmation is required in order to complete the
|
|
unsubscription request from the mailing list <em>%(listname)s</em>. You
|
|
are currently subscribed with
|
|
@@ -573,7 +573,7 @@ def addrchange_prompt(mlist, doc, cookie, oldaddr, new
|
|
if fullname is None:
|
|
fullname = _('<em>Not available</em>')
|
|
else:
|
|
- fullname = Utils.uncanonstr(fullname, lang)
|
|
+ fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
|
|
if globally:
|
|
globallys = _('globally')
|
|
else:
|
|
@@ -814,7 +814,7 @@ def reenable_prompt(mlist, doc, cookie, list, member):
|
|
if username is None:
|
|
username = _('<em>not available</em>')
|
|
else:
|
|
- username = Utils.uncanonstr(username, lang)
|
|
+ username = Utils.websafe(Utils.uncanonstr(username, lang))
|
|
|
|
table.AddRow([_("""Your membership in the %(realname)s mailing list is
|
|
currently disabled due to excessive bounces. Your confirmation is
|