mail/mailman: add XSS patch for HTDIG-enabled builds

Reported by: Dan Niles Obtained from: Dan Niles https://github.com/danogh/mailman2.3/blob/main/Patches/htdig/mailman-htdig-xss.patch
2024-12-28 05:29:48 +00:00 · 2024-04-16 21:03:13 +02:00 · 2024-04-16 21:03:13 +02:00 · 725af8c49d
commit 725af8c49d
parent fd753bb287
2 changed files with 18 additions and 1 deletions
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@ -1,6 +1,6 @@
 PORTNAME=	mailman
 DISTVERSION=	2.1.39
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	mail
 MASTER_SITES=	GNU \
 		SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \
@ -139,6 +139,7 @@ PKGNAMESUFFIX:=	${PKGNAMESUFFIX}-with-htdig
 #X upload the latter with mode 0644 or similar to freefall's public_distfiles/ directory
 _HTDIGREV=	1822
 PATCHFILES+=	msapiro-htdig-${_HTDIGREV}.patch.xz
+EXTRA_PATCHES+=	${FILESDIR}/mailman-htdig-xss.patch
 RUN_DEPENDS+=	htdig:textproc/htdig
 PLIST_SUB+=	SUB_HTDIG=""
 .else
--- a/mail/mailman/files/mailman-htdig-xss.patch
+++ b/mail/mailman/files/mailman-htdig-xss.patch
@ -0,0 +1,16 @@
+Obtained from: Dan Niles
+https://github.com/danogh/mailman2.3/blob/main/Patches/htdig/mailman-htdig-xss.patch
+
+--- ./Mailman/Cgi/mmsearch.py.orig	2024-04-15 11:11:03.159081000 -0500
+++ ./Mailman/Cgi/mmsearch.py	2024-04-15 11:57:40.585341000 -0500
+@@ -146,6 +146,10 @@
+             raise _search_exception(listname, 'cgi', '-6- ' + detail)
+         if  type(fs[fieldname]) is types.ListType:
+             raise _search_exception(listname, 'cgi', '-8- ' + detail)        
+        if (re.search('[<>]', fs[fieldname].value) or
+            Utils.suspiciousHTML(fs[fieldname].value)):
+            raise _search_exception(listname, 'cgi',
+                                    '-15- suspicious parameter')
+         fieldhash[fieldname] = fs[fieldname].value
+     return urllib.urlencode(fieldhash)
+