[Fusionforge-commits] r11010 - in trunk/src: cronjobs/mail www/mail/admin

Alain Peyrat aljeux at libremir.placard.fr.eu.org
Fri Oct 15 16:31:25 CEST 2010


Author: aljeux
Date: 2010-10-15 16:31:25 +0200 (Fri, 15 Oct 2010)
New Revision: 11010

Modified:
   trunk/src/cronjobs/mail/mailing_lists_create.php
   trunk/src/www/mail/admin/deletelist.php
Log:
[Major] Protect code against empty listname when droping lists.

Modified: trunk/src/cronjobs/mail/mailing_lists_create.php
===================================================================
--- trunk/src/cronjobs/mail/mailing_lists_create.php	2010-10-15 13:19:13 UTC (rev 11009)
+++ trunk/src/cronjobs/mail/mailing_lists_create.php	2010-10-15 14:31:25 UTC (rev 11010)
@@ -68,6 +68,16 @@
 	$grouplistid = db_result($res,$i,'group_list_id');
 	$public = db_result($res,$i,'is_public');
 	
+	$listname = trim($listname);
+	if (!$listname) {
+		$err .= "Empty name for a mailing list in 'mail_group_list' table\n";
+		break;
+	}
+	if (!preg_match('/^[a-z0-9\-_\.]*$/', $listname) || $listname == '.' || $listname == '..') {
+		$err .= 'Invalid List Name: ' . $listname;
+		break;
+	}
+
 	// Here we assume that the privatize_list.py script is located in the same dir as this script
 	$script_dir = dirname(__FILE__);
 	$privatize_cmd = escapeshellcmd(forge_get_config('mailman_path').'/bin/config_list -i '.$script_dir.'/privatize_list.py '.$listname);
@@ -144,6 +154,15 @@
 for($k = 0; $k < $rows; $k++) {
 	$deleted_mail_list = db_result($res,$k,'mailing_list_name');
 	
+	$deleted_mail_list = trim($deleted_mail_list);
+	if (!$deleted_mail_list) {
+		$err .= "Empty name for a mailing list in 'deleted_mailing_lists' table\n";
+		break;
+	}
+	if (!preg_match('/^[a-z0-9\-_\.]*$/', $deleted_mail_list) || $deleted_mail_list == '.' || $deleted_mail_list == '..') {
+		$err .= 'Invalid List Name: ' . $deleted_mail_list;
+		break;
+	}
 	exec(forge_get_config('mailman_path')."/bin/rmlist -a $deleted_mail_list", $output);
 	$success = false;
 	foreach ($output as $line) {

Modified: trunk/src/www/mail/admin/deletelist.php
===================================================================
--- trunk/src/www/mail/admin/deletelist.php	2010-10-15 13:19:13 UTC (rev 11009)
+++ trunk/src/www/mail/admin/deletelist.php	2010-10-15 14:31:25 UTC (rev 11010)
@@ -48,6 +48,9 @@
 session_require_perm ('project_admin', $group->getID()) ;
 
 $ml = new MailingList($group,getIntFromGet('group_list_id'));
+if ($ml->isError()) {
+	exit_error($ml->getErrorMessage(),'home');
+}
 
 if (getStringFromPost('submit')) {
 	$sure = getStringFromPost('sure');




More information about the Fusionforge-commits mailing list