File mailman-2.1.11-CVE-2015-2775.patch of Package mailman.15639
=== modified file 'Mailman/Defaults.py.in'
@@ -118,7 +118,7 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/l
# A Python regular expression character class which defines the characters
# allowed in list names. Lists cannot be created with names containing any
-# character that doesn't match this class.
+# character that doesn't match this class. Do not include '/' in this list.
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
@@ -92,6 +92,12 @@ def list_exists(listname):
# The former two are for 2.1alpha3 and beyond, while the latter two are
# for all earlier versions.
+ # But first ensure the list name doesn't contain a path traversal
+ # attack.
+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
+ syslog('mischief', 'Hostile listname: %s', listname)
+ return False
basepath = Site.get_listpath(listname)
for ext in ('.pck', '.pck.last', '.db', '.db.last'):
dbfile = os.path.join(basepath, 'config' + ext)