Subject: Developers of Sympa
List archive
Re: [sympa-developpers] [sympa-commits] sympa[8492] branches/sympa-6.2-branch: [bug] viewspool_message: HTML view was disabled.
- From: IKEDA Soji <address@concealed>
- To: address@concealed
- Subject: Re: [sympa-developpers] [sympa-commits] sympa[8492] branches/sympa-6.2-branch: [bug] viewspool_message: HTML view was disabled.
- Date: Wed, 30 Jan 2013 18:04:39 +0900
On Wed, 30 Jan 2013 09:38:04 +0100
David Verdin <address@concealed> wrote:
> Hi Soji,
>
> Étienne raise a possible security issue here: what if somebody found
> interesting to put TT2 tags in the incoming mail? This TT2 would then be
> processed, potentially making a lot of things in the server, no?
> A pirate could, for example, use the [% PERL %] tag to execute any perl
> code he wants. Given that most server parameters are available for TT2
> in the admin context, and that the user viewing spools is likely to be a
> listmaster, it could be a big breach, don't you think so?
OoOoops, I never had in my mind! I'll make fix to prevent such
vandal (on viewspool_message and modindex).
Should we withdraw "Messages customization" feature on compose_mail
page?
> Cheers,
>
> David
Cheers,
-- Soji
> Le 30/01/13 07:54, address@concealed a écrit :
> > sympa[8492] branches/sympa-6.2-branch: [bug] viewspool_message: HTML
> > view was disabled.
> >
> > Revision
> > 8492
> > Author
> > sikeda
> > Date
> > 2013-01-30 07:54:37 +0100 (mer. 30 janv. 2013)
> >
> >
> > Log Message
> >
> > [bug] viewspool_message: HTML view was disabled.
> >
> >
> > Modified Paths
> >
> > * branches/sympa-6.2-branch/web_tt2/viewspool_message.tt2
> > <#branchessympa62branchweb_tt2viewspool_messagett2>
> > * branches/sympa-6.2-branch/wwsympa/wwsympa.fcgi.in
> > <#branchessympa62branchwwsympawwsympafcgiin>
> >
> >
> > Diff
> >
> >
> > Modified:
> > branches/sympa-6.2-branch/web_tt2/viewspool_message.tt2 (8491
> > => 8492)
> >
> >
> > --- branches/sympa-6.2-branch/web_tt2/viewspool_message.tt2 2013-01-30
> > 06:43:02 UTC (rev 8491)
> > +++ branches/sympa-6.2-branch/web_tt2/viewspool_message.tt2 2013-01-30
> > 06:54:37 UTC (rev 8492)
> > @@ -1,11 +1,11 @@
> > <!-- $Id: viewspool_message.tt2 6796 2010-11-25 15:40:21Z serge.aumont
> > $ -->
> > +<h1>Moderation</h1>
> > +[% TRY %]
> >
> > -<hr>
> > -[% spool_message_ashtml %]
> > -<hr>
> > + [% PROCESS 'msg00000.html' %]
> >
> > -<pre>
> > -[% spool_message_asstring %]
> > -</pre>
> > -
> > +[% CATCH %]
> > + ERROR! Type: [% error.type %]
> > + Info: [% error.info %]
> > +[% END %]
> > <!-- end viewspool_message.tt2 -->
> >
> >
> > Modified: branches/sympa-6.2-branch/wwsympa/wwsympa.fcgi.in
> > (8491 => 8492)
> >
> >
> > --- branches/sympa-6.2-branch/wwsympa/wwsympa.fcgi.in 2013-01-30
> > 06:43:02 UTC (rev 8491)
> > +++ branches/sympa-6.2-branch/wwsympa/wwsympa.fcgi.in 2013-01-30
> > 06:54:37 UTC (rev 8492)
> > @@ -17541,7 +17541,6 @@
> >
> > ## deliver a view of a message identified by the spoolname and the
> > messagekey
> > sub do_viewspool_message {
> > -
> > my $messagekey = $in{'messagekey'};
> > my $spoolname = $in{'spoolname'};
> > $param->{'spoolname'} = $spoolname;
> > @@ -17581,36 +17580,21 @@
> > }
> >
> > $param->{'spool_message_asstring'} =
> > $messages[0]->{'messageasstring'};
> > - return 1;
> >
> > - # the following code is not executed because of a bug. It should be
> > able to disply message as html....
> > -
> > -
> > - my $destination_dir =
> > Site->viewmail_dir.'/spool/viewmail/'.$messagekey;
> > -
> > + my $destination_dir = Site->viewmail_dir . '/spool/viewmail/' .
> > $messagekey;
> > unless (-d $destination_dir) {
> > - &Archive::convert_single_msg_2_html
> > ({'msg_as_string'=>$param->{'spool_message_asstring'},
> > -
> > 'destination_dir'=>$destination_dir,
> > -
> > 'attachement_url'=>"viewspool_message/$messagekey",
> > - 'list'=>$list,
> > - 'robot'=>$robot_id,
> > - 'messagekey'=>$messagekey,} );
> > -
> > -
> > + Archive::convert_single_msg_2_html(
> > + { 'msg_as_string' => $param->{'spool_message_asstring'},
> > + 'destination_dir' => $destination_dir,
> > + 'attachement_url' => "viewspool_message/$messagekey",
> > + 'list' => $list,
> > + 'robot' => $robot,
> > + 'messagekey' => $messagekey,
> > + }
> > + );
> > }
> > + tt2::add_include_path($destination_dir);
> >
> > - unless (open (HTMLMAIL ,$destination_dir.'/msg00000.html')){
> > - &report::reject_report_web('intern','could not show message as html');
> > - &wwslog('info','do_viewspool_message : could not show message as
> > html');
> > - return;
> > - }
> > -
> > - while (<HTMLMAIL>){
> > - $param->{'spool_message_ashtml'} .= $_;
> > -
> > - }
> > - close HTMLMAIL;
> > -
> > return 1;
> > }
> >
> > @@ -17664,7 +17648,6 @@
> >
> > ## remove a message identified by the spoolname and the messagekey
> > sub do_viewspool_message_remove {
> > -
> > my $messagekey = $in{'messagekey'};
> > $param->{'messagekey'} = $messagekey;
> > my $spoolname = $in{'spoolname'};
> > @@ -17672,7 +17655,7 @@
> > my $status = 'ok';
> > $status = $in{'spool_status'} if ($in{'spool_status'});
> > $param->{'spool_status'} = $status;
> > -
> > +
> > &wwslog('info', 'do_viewspool_message_remove(spoolname =
> > %s,messagekey = %s, status =%s)',$spoolname,$messagekey,$status);
> >
> > unless ( $param->{'is_listmaster'}){
> > @@ -17692,7 +17675,12 @@
> > return;
> >
> > }
> > -
> > +
> > + # clean html view of the message
> > + #FIXME: inconsistent removal.
> > + my $dir = Site->viewmail_dir . '/spool/viewmail/' . $messagekey;
> > + tools::remove_dir($dir) if -d $dir;
> > +
> > $param->{'removed'} = 1;
> > return 1;
> > }
> >
> > --
> > A bug in Sympa? Quick! To the bug tracker!
> > <https://sourcesup.renater.fr/tracker/?atid=167&group_id=23&func=browse>
> > David Verdin
> > Services Applicatifs aux Utilisateurs
> > Tel. +33 2 23 23 69 71
> > GIP RENATER <http://www.renater.fr>
> >
--
株式会社 コンバージョン セキュリティ&OSSソリューション部 池田荘児
〒231-0004 神奈川県横浜市中区元浜町3-21-2 ヘリオス関内ビル7F
e-mail address@concealed TEL 045-640-3550
http://www.conversion.co.jp/
- Re: [sympa-developpers] [sympa-commits] sympa[8492] branches/sympa-6.2-branch: [bug] viewspool_message: HTML view was disabled., IKEDA Soji, 01/30/2013
Archive powered by MHonArc 2.6.19+.