=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in      2008-06-18 18:43:31 +0000
+++ Mailman/Defaults.py.in      2008-06-29 00:35:55 +0000
@@ -109,6 +109,11 @@
# name of the temporary file that the program should operate on.
HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s'

+# A Python regular expression character class which defines the characters
+# allowed in list names.  Lists cannot be created with names containing any
+# character that doesn't match this class.
+ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+


#####

=== modified file 'Mailman/MTA/Utils.py'
--- Mailman/MTA/Utils.py        2005-08-27 01:40:17 +0000
+++ Mailman/MTA/Utils.py        2008-06-28 00:54:09 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2001,2002 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2008 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -17,6 +17,7 @@
"""Utilities for list creation/deletion hooks."""

import os
+import re
import pwd

from Mailman import mm_cfg
@@ -45,13 +46,17 @@
    #    backwards compatibility and may eventually go away (we really have no
    #    need for the -admin address anymore).
    #
+    # We escape a few special characters in the list name in the pipe command
+    # to avoid characters that might split the pipe into two commands.
+    safename = re.sub('([;|&`$])', r'\\\1', listname)
+    #
    # Seed this with the special cases.
-    aliases = [(listname,          '"|%s post %s"' % (wrapper, listname)),
+    aliases = [(listname,          '"|%s post %s"' % (wrapper, safename)),
               ]
    for ext in ('admin', 'bounces', 'confirm', 'join', 'leave', 'owner',
                'request', 'subscribe', 'unsubscribe'):
        aliases.append(('%s-%s' % (listname, ext),
-                        '"|%s %s %s"' % (wrapper, ext, listname)))
+                        '"|%s %s %s"' % (wrapper, ext, safename)))
    return aliases



=== modified file 'Mailman/MailList.py'
--- Mailman/MailList.py 2008-02-23 23:14:01 +0000
+++ Mailman/MailList.py 2008-06-29 05:07:10 +0000
@@ -475,6 +475,12 @@
        assert name == name.lower(), 'List name must be all lower case.'
        if Utils.list_exists(name):
            raise Errors.MMListAlreadyExistsError, name
+        # Problems and potential attacks can occur if the list name in the
+        # pipe to the wrapper in an MTA alias or other delivery process
+        # contains shell special characters so allow only defined characters
+        # (default = '[-+_.=a-z0-9]').
+        if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', name)) > 0:
+            raise Errors.BadListNameError, name
        # Validate what will be the list's posting address.  If that's
        # invalid, we don't want to create the mailing list.  The hostname
        # part doesn't really matter, since that better already be valid.

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.