git: 725af8c49dfe - main - mail/mailman: add XSS patch for HTDIG-enabled builds

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Tue, 16 Apr 2024 21:35:23 UTC
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=725af8c49dfeaf525da5ac0aaa52e237dd11c67a

commit 725af8c49dfeaf525da5ac0aaa52e237dd11c67a
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2024-04-16 19:03:13 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2024-04-16 19:08:53 +0000

    mail/mailman: add XSS patch for HTDIG-enabled builds
    
    Reported by:    Dan Niles
    Obtained from:  Dan Niles
    https://github.com/danogh/mailman2.3/blob/main/Patches/htdig/mailman-htdig-xss.patch
---
 mail/mailman/Makefile                      |  3 ++-
 mail/mailman/files/mailman-htdig-xss.patch | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 2da052f7a57c..64fc99cd5a3b 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	mailman
 DISTVERSION=	2.1.39
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	mail
 MASTER_SITES=	GNU \
 		SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \
@@ -139,6 +139,7 @@ PKGNAMESUFFIX:=	${PKGNAMESUFFIX}-with-htdig
 #X upload the latter with mode 0644 or similar to freefall's public_distfiles/ directory
 _HTDIGREV=	1822
 PATCHFILES+=	msapiro-htdig-${_HTDIGREV}.patch.xz
+EXTRA_PATCHES+=	${FILESDIR}/mailman-htdig-xss.patch
 RUN_DEPENDS+=	htdig:textproc/htdig
 PLIST_SUB+=	SUB_HTDIG=""
 .else
diff --git a/mail/mailman/files/mailman-htdig-xss.patch b/mail/mailman/files/mailman-htdig-xss.patch
new file mode 100644
index 000000000000..454fb6530180
--- /dev/null
+++ b/mail/mailman/files/mailman-htdig-xss.patch
@@ -0,0 +1,16 @@
+Obtained from: Dan Niles
+https://github.com/danogh/mailman2.3/blob/main/Patches/htdig/mailman-htdig-xss.patch
+
+--- ./Mailman/Cgi/mmsearch.py.orig	2024-04-15 11:11:03.159081000 -0500
++++ ./Mailman/Cgi/mmsearch.py	2024-04-15 11:57:40.585341000 -0500
+@@ -146,6 +146,10 @@
+             raise _search_exception(listname, 'cgi', '-6- ' + detail)
+         if  type(fs[fieldname]) is types.ListType:
+             raise _search_exception(listname, 'cgi', '-8- ' + detail)        
++        if (re.search('[<>]', fs[fieldname].value) or
++            Utils.suspiciousHTML(fs[fieldname].value)):
++            raise _search_exception(listname, 'cgi',
++                                    '-15- suspicious parameter')
+         fieldhash[fieldname] = fs[fieldname].value
+     return urllib.urlencode(fieldhash)
+