diff options
author | Matthias Andree <mandree@FreeBSD.org> | 2024-04-16 19:03:13 +0000 |
---|---|---|
committer | Matthias Andree <mandree@FreeBSD.org> | 2024-04-16 19:08:53 +0000 |
commit | 725af8c49dfeaf525da5ac0aaa52e237dd11c67a (patch) | |
tree | 3e2fedb829e1c3c31d2b5ee463915a3a69c86f8c | |
parent | fd753bb287d0056b9afba57c33bf1da7dc2b1dfa (diff) | |
download | ports-725af8c49dfeaf525da5ac0aaa52e237dd11c67a.tar.gz ports-725af8c49dfeaf525da5ac0aaa52e237dd11c67a.zip |
mail/mailman: add XSS patch for HTDIG-enabled builds
Reported by: Dan Niles
Obtained from: Dan Niles
https://github.com/danogh/mailman2.3/blob/main/Patches/htdig/mailman-htdig-xss.patch
-rw-r--r-- | mail/mailman/Makefile | 3 | ||||
-rw-r--r-- | mail/mailman/files/mailman-htdig-xss.patch | 16 |
2 files changed, 18 insertions, 1 deletions
diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile index 2da052f7a57c..64fc99cd5a3b 100644 --- a/mail/mailman/Makefile +++ b/mail/mailman/Makefile @@ -1,6 +1,6 @@ PORTNAME= mailman DISTVERSION= 2.1.39 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= mail MASTER_SITES= GNU \ SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \ @@ -139,6 +139,7 @@ PKGNAMESUFFIX:= ${PKGNAMESUFFIX}-with-htdig #X upload the latter with mode 0644 or similar to freefall's public_distfiles/ directory _HTDIGREV= 1822 PATCHFILES+= msapiro-htdig-${_HTDIGREV}.patch.xz +EXTRA_PATCHES+= ${FILESDIR}/mailman-htdig-xss.patch RUN_DEPENDS+= htdig:textproc/htdig PLIST_SUB+= SUB_HTDIG="" .else diff --git a/mail/mailman/files/mailman-htdig-xss.patch b/mail/mailman/files/mailman-htdig-xss.patch new file mode 100644 index 000000000000..454fb6530180 --- /dev/null +++ b/mail/mailman/files/mailman-htdig-xss.patch @@ -0,0 +1,16 @@ +Obtained from: Dan Niles +https://github.com/danogh/mailman2.3/blob/main/Patches/htdig/mailman-htdig-xss.patch + +--- ./Mailman/Cgi/mmsearch.py.orig 2024-04-15 11:11:03.159081000 -0500 ++++ ./Mailman/Cgi/mmsearch.py 2024-04-15 11:57:40.585341000 -0500 +@@ -146,6 +146,10 @@ + raise _search_exception(listname, 'cgi', '-6- ' + detail) + if type(fs[fieldname]) is types.ListType: + raise _search_exception(listname, 'cgi', '-8- ' + detail) ++ if (re.search('[<>]', fs[fieldname].value) or ++ Utils.suspiciousHTML(fs[fieldname].value)): ++ raise _search_exception(listname, 'cgi', ++ '-15- suspicious parameter') + fieldhash[fieldname] = fs[fieldname].value + return urllib.urlencode(fieldhash) + |