Here is a history of user visible changes to Mailman.
+2.0.11 (20-May-2002)
+
+ - Closed two cross-site scripting vulnerabilities: one in the
+ admin login page, and one in the HTML archive indices.
+
2.0.10 (09-Apr-2002)
- Closed another small race condition.
Index: Mailman/Utils.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Utils.py,v
retrieving revision 1.104.2.6
retrieving revision 1.104.2.8
diff -u -r1.104.2.6 -r1.104.2.8
--- Mailman/Utils.py 4 Apr 2002 21:14:23 -0000 1.104.2.6
+++ Mailman/Utils.py 20 May 2002 14:37:32 -0000 1.104.2.8
@@ -30,6 +30,7 @@
import time
import socket
import random
+import cgi
from UserDict import UserDict
from types import StringType
import random
@@ -610,7 +611,7 @@
-def GetRequestURI(fallback=None):
+def GetRequestURI(fallback=None, escape=1):
"""Return the full virtual path this CGI script was invoked with.
Newer web servers seems to supply this info in the REQUEST_URI
@@ -621,13 +622,17 @@
Optional argument `fallback' (default `None') is returned if both of
the above methods fail.
+ The url will be cgi escaped to prevent cross-site scripting attacks,
+ unless `escape' is set to 0.
"""
+ url = fallback
if os.environ.has_key('REQUEST_URI'):
- return os.environ['REQUEST_URI']
+ url = os.environ['REQUEST_URI']
elif os.environ.has_key('SCRIPT_NAME') and os.environ.has_key('PATH_INFO'):
- return os.environ['SCRIPT_NAME'] + os.environ['PATH_INFO']
- else:
- return fallback
+ url = os.environ['SCRIPT_NAME'] + os.environ['PATH_INFO']
+ if escape:
+ return cgi.escape(url)
+ return url
Index: Mailman/Version.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Version.py,v
retrieving revision 1.20.2.10
retrieving revision 1.20.2.11
diff -u -r1.20.2.10 -r1.20.2.11
--- Mailman/Version.py 9 Apr 2002 21:06:16 -0000 1.20.2.10
+++ Mailman/Version.py 20 May 2002 15:16:08 -0000 1.20.2.11
@@ -15,7 +15,7 @@
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# Mailman version
-VERSION = "2.0.10"
+VERSION = "2.0.11"
# And as a hex number in the manner of PY_VERSION_HEX
ALPHA = 0xa
@@ -27,7 +27,7 @@
+See also the <a href="http://www.python.org/cgi-bin/faqw-mm.py">Mailman
+FAQ Wizard</a> for more information.
+
<h3>Mailman Frequently Asked Questions</h3>
'''
first = 1
Index: admin/www/download.ht
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.ht,v
retrieving revision 1.5.2.13
retrieving revision 1.5.2.14
diff -u -r1.5.2.13 -r1.5.2.14
--- admin/www/download.ht 18 Apr 2002 03:49:52 -0000 1.5.2.13
+++ admin/www/download.ht 20 May 2002 15:17:42 -0000 1.5.2.14
@@ -60,9 +60,9 @@
<h3>Downloading</h3>
<p>Version
-(<!-VERSION--->2.0.10<!-VERSION--->,
+(<!-VERSION--->2.0.11<!-VERSION--->,
released on
-<!-DATE--->Apr 17 2002<!-DATE--->)
+<!-DATE--->May 20 2002<!-DATE--->)
is the current GNU release. It is available from the following mirror sites:
<ul>
Index: admin/www/download.html
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.html,v
retrieving revision 1.6.2.15
retrieving revision 1.6.2.16
diff -u -r1.6.2.15 -r1.6.2.16
--- admin/www/download.html 18 Apr 2002 03:49:52 -0000 1.6.2.15
+++ admin/www/download.html 20 May 2002 15:17:42 -0000 1.6.2.16
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<!-- THIS PAGE IS AUTOMATICALLY GENERATED. DO NOT EDIT. -->
-<!-- Wed Apr 17 23:48:35 2002 -->
+<!-- Mon May 20 11:16:31 2002 -->
<!-- USING HT2HTML 2.0 -->
<!-- SEE http://ht2html.sf.net -->
<!-- User-specified headers:
@@ -246,9 +246,9 @@
<h3>Downloading</h3>
<p>Version
-(<!-VERSION--->2.0.10<!-VERSION--->,
+(<!-VERSION--->2.0.11<!-VERSION--->,
released on
-<!-DATE--->Apr 17 2002<!-DATE--->)
+<!-DATE--->May 20 2002<!-DATE--->)
is the current GNU release. It is available from the following mirror sites:
-</b><br> See also <a href="http://www.python.org/cgi-bin/faqw-mm.py">http://www.python.org/cgi-bin/faqw-mm.py</a>
-<p> A. You spell it "Mailman", with a leading capital "M" and a lowercase
+</b><br> A. You spell it "Mailman", with a leading capital "M" and a lowercase
second "m". It is incorrect to spell it "MailMan" (i.e. you should
not use StudlyCaps).
<p> <b> Q. I'm getting really terrible performance for outgoing messages. It
Index: admin/www/faq.html
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/faq.html,v
retrieving revision 1.10.2.4
retrieving revision 1.10.2.5
diff -u -r1.10.2.4 -r1.10.2.5
--- admin/www/faq.html 4 Apr 2002 18:07:26 -0000 1.10.2.4
+++ admin/www/faq.html 19 Apr 2002 03:36:23 -0000 1.10.2.5
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<!-- THIS PAGE IS AUTOMATICALLY GENERATED. DO NOT EDIT. -->
-<!-- Thu Apr 4 12:57:32 2002 -->
+<!-- Thu Apr 18 23:35:52 2002 -->
<!-- USING HT2HTML 2.0 -->
<!-- SEE http://ht2html.sf.net -->
<!-- User-specified headers:
@@ -162,12 +162,14 @@
<!-- end of sidebar cell -->
<!-- start of body cell -->
<td valign="top" width="90%" class="body"><br>
+See also the <a href="http://www.python.org/cgi-bin/faqw-mm.py">Mailman
+FAQ Wizard</a> for more information.
+
<h3>Mailman Frequently Asked Questions</h3>
<b> Q. How do you spell this program?
-</b><br> See also <a href="http://www.python.org/cgi-bin/faqw-mm.py">http://www.python.org/cgi-bin/faqw-mm.py</a>
-<p> A. You spell it "Mailman", with a leading capital "M" and a lowercase
+</b><br> A. You spell it "Mailman", with a leading capital "M" and a lowercase
second "m". It is incorrect to spell it "MailMan" (i.e. you should
not use StudlyCaps).
<p> <b> Q. I'm getting really terrible performance for outgoing messages. It
