Package: mailman / 1:2.1.18-2+deb8u2

93_CVE-2018-5950.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
diff -Nur mailman-2.1.18.orig/Mailman/Cgi/options.py mailman-2.1.18/Mailman/Cgi/options.py
--- mailman-2.1.18.orig/Mailman/Cgi/options.py	2018-02-08 07:33:41.000000000 +0100
+++ mailman-2.1.18/Mailman/Cgi/options.py	2018-02-08 07:34:19.736402702 +0100
@@ -152,20 +152,6 @@
     doc.set_language(userlang)
     i18n.set_language(userlang)
 
-    # See if this is VARHELP on topics.
-    varhelp = None
-    if cgidata.has_key('VARHELP'):
-        varhelp = cgidata['VARHELP'].value
-    elif os.environ.get('QUERY_STRING'):
-        # POST methods, even if their actions have a query string, don't get
-        # put into FieldStorage's keys :-(
-        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
-        if qs and type(qs) == types.ListType:
-            varhelp = qs[0]
-    if varhelp:
-        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
-        return
-
     # Are we processing an unsubscription request from the login screen?
     if cgidata.has_key('login-unsub'):
         # Because they can't supply a password for unsubscribing, we'll need
@@ -268,6 +254,22 @@
     # options.  The first set of checks does not require the list to be
     # locked.
 
+    # See if this is VARHELP on topics.
+    varhelp = None
+    if cgidata.has_key('VARHELP'):
+        varhelp = cgidata['VARHELP'].value
+    elif os.environ.get('QUERY_STRING'):
+        # POST methods, even if their actions have a query string, don't get
+        # put into FieldStorage's keys :-(
+        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+        if qs and type(qs) == types.ListType:
+            varhelp = qs[0]
+    if varhelp:
+        # Sanitize the topic name.
+        varhelp = re.sub('<.*', '', varhelp)
+        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+        return
+
     if cgidata.has_key('logout'):
         print mlist.ZapCookie(mm_cfg.AuthUser, user)
         loginpage(mlist, doc, user, language)