[evolvis-commits] r16242: [Major] Protect code against empty listname when droping lists.
mirabilos at evolvis.org
mirabilos at evolvis.org
Tue Mar 1 01:04:43 CET 2011
Author: mirabilos
Date: 2011-03-01 01:04:43 +0100 (Tue, 01 Mar 2011)
New Revision: 16242
Modified:
trunk/gforge_base/evolvisforge-5.1/src/cronjobs/mail/mailing_lists_create.php
trunk/gforge_base/evolvisforge-5.1/src/www/mail/admin/deletelist.php
Log:
[Major] Protect code against empty listname when droping lists.
Modified: trunk/gforge_base/evolvisforge-5.1/src/cronjobs/mail/mailing_lists_create.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/cronjobs/mail/mailing_lists_create.php 2011-03-01 00:04:40 UTC (rev 16241)
+++ trunk/gforge_base/evolvisforge-5.1/src/cronjobs/mail/mailing_lists_create.php 2011-03-01 00:04:43 UTC (rev 16242)
@@ -68,6 +68,16 @@
$grouplistid = db_result($res,$i,'group_list_id');
$public = db_result($res,$i,'is_public');
+ $listname = trim($listname);
+ if (!$listname) {
+ $err .= "Empty name for a mailing list in 'mail_group_list' table\n";
+ break;
+ }
+ if (!preg_match('/^[a-z0-9\-_\.]*$/', $listname) || $listname == '.' || $listname == '..') {
+ $err .= 'Invalid List Name: ' . $listname;
+ break;
+ }
+
// Here we assume that the privatize_list.py script is located in the same dir as this script
$script_dir = dirname(__FILE__);
$privatize_cmd = escapeshellcmd(forge_get_config('mailman_path').'/bin/config_list -i '.$script_dir.'/privatize_list.py '.$listname);
@@ -144,6 +154,15 @@
for($k = 0; $k < $rows; $k++) {
$deleted_mail_list = db_result($res,$k,'mailing_list_name');
+ $deleted_mail_list = trim($deleted_mail_list);
+ if (!$deleted_mail_list) {
+ $err .= "Empty name for a mailing list in 'deleted_mailing_lists' table\n";
+ break;
+ }
+ if (!preg_match('/^[a-z0-9\-_\.]*$/', $deleted_mail_list) || $deleted_mail_list == '.' || $deleted_mail_list == '..') {
+ $err .= 'Invalid List Name: ' . $deleted_mail_list;
+ break;
+ }
exec(forge_get_config('mailman_path')."/bin/rmlist -a $deleted_mail_list", $output);
$success = false;
foreach ($output as $line) {
Modified: trunk/gforge_base/evolvisforge-5.1/src/www/mail/admin/deletelist.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/www/mail/admin/deletelist.php 2011-03-01 00:04:40 UTC (rev 16241)
+++ trunk/gforge_base/evolvisforge-5.1/src/www/mail/admin/deletelist.php 2011-03-01 00:04:43 UTC (rev 16242)
@@ -48,6 +48,9 @@
session_require_perm ('project_admin', $group->getID()) ;
$ml = new MailingList($group,getIntFromGet('group_list_id'));
+if ($ml->isError()) {
+ exit_error($ml->getErrorMessage(),'home');
+}
if (getStringFromPost('submit')) {
$sure = getStringFromPost('sure');
More information about the evolvis-commits
mailing list