mail/mailman: add XSS patch for HTDIG-enabled builds

Reported by: Dan Niles Obtained from: Dan Niles https://github.com/danogh/mailman2.3/blob/main/Patches/htdig/mailman-htdig-xss.patch
freebsd · Apr 16, 2024 · 725af8c · 725af8c
1 parent fd753bb
commit 725af8c
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	mailman
 DISTVERSION=	2.1.39
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	mail
 MASTER_SITES=	GNU \
 		SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \
@@ -139,6 +139,7 @@ PKGNAMESUFFIX:=	${PKGNAMESUFFIX}-with-htdig
 #X upload the latter with mode 0644 or similar to freefall's public_distfiles/ directory
 _HTDIGREV=	1822
 PATCHFILES+=	msapiro-htdig-${_HTDIGREV}.patch.xz
+EXTRA_PATCHES+=	${FILESDIR}/mailman-htdig-xss.patch
 RUN_DEPENDS+=	htdig:textproc/htdig
 PLIST_SUB+=	SUB_HTDIG=""
 .else

diff --git a/mail/mailman/files/mailman-htdig-xss.patch b/mail/mailman/files/mailman-htdig-xss.patch
@@ -0,0 +1,16 @@
+Obtained from: Dan Niles
+https://github.com/danogh/mailman2.3/blob/main/Patches/htdig/mailman-htdig-xss.patch
+
+--- ./Mailman/Cgi/mmsearch.py.orig	2024-04-15 11:11:03.159081000 -0500
++++ ./Mailman/Cgi/mmsearch.py	2024-04-15 11:57:40.585341000 -0500
+@@ -146,6 +146,10 @@
+             raise _search_exception(listname, 'cgi', '-6- ' + detail)
+         if  type(fs[fieldname]) is types.ListType:
+             raise _search_exception(listname, 'cgi', '-8- ' + detail)        
++        if (re.search('[<>]', fs[fieldname].value) or
++            Utils.suspiciousHTML(fs[fieldname].value)):
++            raise _search_exception(listname, 'cgi',
++                                    '-15- suspicious parameter')
+         fieldhash[fieldname] = fs[fieldname].value
+     return urllib.urlencode(fieldhash)
+