Developers of Sympa

[Chia-liang Kao <address@concealed>]

Hi,

during my quest of making sympa using tt2, I found that there's
some problem with the STOPPARSE tag used in the mhonarc resources.

the problem is that there's no proper escape done when generating
the .html. so user could effectly send a mail with a subject:
[STARTPARSE][INCLUDE '/etc/passwd'][STOPPARSE] to exploit the
template to be processed.

in order to have the variables to be escaped in the mhonarc layer,
i skimmed the related functions in the source, and found that the
easiest way seems to be using the {U} modifier of the variable
to be accessed. and all variables are wrapped by a uri decoder.

in tt2 it'll be like using the following in the resources file:
[%|urldecode%]$SUBJECT{U}[%END%]

similiar thing should be done for the original templating system
to avoid the problem described above.

Cheers,
CLK