Certain Malformed list names throw TypeError: in roster CGI

Bug #1661810 reported by Mark Sapiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Low
Mark Sapiro

Bug Description

We've seen attacks visiting URLs such as <http://example.com/mailman/roster/python-dev%2522%252dswffelqj%252d%2522>. The list name after unescaping is python-dev%22%2dswffelqj%2d%22 which websafes to the same thing.

Ultimately, this calls
    error_page(_('No such list <em>%(safelistname)s</em>'))

which in turn calls
    error_page_doc(doc, errmsg)

with the translated error message. The problem is error_page_doc is defined as

def error_page_doc(doc, errmsg, *args):

even though it is never called with any additional args. It then tries to interpolate the (empty) args into the errmsg string which in this case contains a '%' an results in

TypeError: not enough arguments for format string

The solution, since error_page_doc is never called with extra arguments is to just drop the *args and the attempted interpolation.

Related branches

Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.