1
#! /bin/sh /usr/share/dpatch/dpatch-run
2
## security-error_log.dpatch by <martin.pitt@ubuntu.com>
4
## All lines beginning with `## DP:' are a description of the patch.
8
diff -urNad mailman-2.1.8~/Mailman/Handlers/Decorate.py mailman-2.1.8/Mailman/Handlers/Decorate.py
9
--- mailman-2.1.8~/Mailman/Handlers/Decorate.py 2006-09-12 21:27:45.000000000 +0200
10
+++ mailman-2.1.8/Mailman/Handlers/Decorate.py 2006-09-12 21:28:44.000000000 +0200
12
# TK: Try to keep the message plain by converting the header/
13
# footer/oldpayload into unicode and encode with mcset/lcset.
14
# Try to decode qp/base64 also.
15
- uheader = unicode(header, lcset)
16
- ufooter = unicode(footer, lcset)
17
+ uheader = unicode(header, lcset, 'ignore')
18
+ ufooter = unicode(footer, lcset, 'ignore')
20
oldpayload = unicode(msg.get_payload(decode=True), mcset)
21
frontsep = endsep = u''
22
diff -urNad mailman-2.1.8~/Mailman/Utils.py mailman-2.1.8/Mailman/Utils.py
23
--- mailman-2.1.8~/Mailman/Utils.py 2006-03-18 18:23:04.000000000 +0100
24
+++ mailman-2.1.8/Mailman/Utils.py 2006-09-12 21:28:29.000000000 +0200
26
from Mailman import Errors
27
from Mailman import Site
28
from Mailman.SafeDict import SafeDict
29
+from Mailman.Logging.Syslog import syslog
37
+# Patterns which may be used to form malicious path to inject a new
38
+# line in the mailman error log. (TK: advisory by Moritz Naumann)
39
+CRNLpat = re.compile(r'[^\x21-\x7e]')
41
def GetPathPieces(envar='PATH_INFO'):
42
path = os.environ.get(envar)
44
+ if CRNLpat.search(path):
45
+ path = CRNLpat.split(path)[0]
46
+ syslog('error', 'Warning: Possible malformed path attack.')
47
return [p for p in path.split('/') if p]
51
# We have no available source of cryptographically
52
# secure random characters. Log an error and fallback
53
# to the user friendly passwords.
54
- from Mailman.Logging.Syslog import syslog
56
'urandom not available, passwords not secure')
57
return UserFriendly_MakeRandomPassword(length)
59
text = sdict.interpolate(utemplate)
60
except (TypeError, ValueError), e:
61
# The template is really screwed up
62
- from Mailman.Logging.Syslog import syslog
63
syslog('error', 'broken template: %s\n%s', filename, e)