Le 30/01/13 10:04, IKEDA Soji a écrit :
On Wed, 30 Jan 2013 09:38:04 +0100
David Verdin <address@concealed> wrote:
Hi Soji,
Étienne raise a possible security issue here: what if somebody found
interesting to put TT2 tags in the incoming mail? This TT2 would then be
processed, potentially making a lot of things in the server, no?
A pirate could, for example, use the [% PERL %] tag to execute any perl
code he wants. Given that most server parameters are available for TT2
in the admin context, and that the user viewing spools is likely to be a
listmaster, it could be a big breach, don't you think so?
OoOoops, I never had in my mind! I'll make fix to prevent such
vandal (on viewspool_message and modindex).
Good! Sorry for being the voice of paranoia...
Should we withdraw "Messages customization" feature on compose_mail
page?
I don't think so. The TT2 tags involved are only executed in bulk.pl
context and the only variables available are the few indicated on
the compose_mail page, in addition to any custom user attributes.
This is different from a message display in the web interface where
a lot of variables are available to correctly display pages.
This TT2 will be parsed only if the message is accepted for
delivery, that is: the user is allowed to post or a moderator
accepted it.
So as long as we don't process the TT2 in the moderation page, I
think we're safe.
Cheers,
David
Cheers,
David
Cheers,
-- Soji
Le 30/01/13 07:54, address@concealed a écrit :
sympa[8492] branches/sympa-6.2-branch: [bug] viewspool_message: HTML
view was disabled.
Revision
8492
Author
sikeda
Date
2013-01-30 07:54:37 +0100 (mer. 30 janv. 2013)
Log Message
[bug] viewspool_message: HTML view was disabled.
Modified Paths
* branches/sympa-6.2-branch/web_tt2/viewspool_message.tt2
<#branchessympa62branchweb_tt2viewspool_messagett2>
* branches/sympa-6.2-branch/wwsympa/wwsympa.fcgi.in
<#branchessympa62branchwwsympawwsympafcgiin>
Diff
Modified:
branches/sympa-6.2-branch/web_tt2/viewspool_message.tt2 (8491
=> 8492)
--- branches/sympa-6.2-branch/web_tt2/viewspool_message.tt2 2013-01-30 06:43:02 UTC (rev 8491)
+++ branches/sympa-6.2-branch/web_tt2/viewspool_message.tt2 2013-01-30 06:54:37 UTC (rev 8492)
@@ -1,11 +1,11 @@
<!-- $Id: viewspool_message.tt2 6796 2010-11-25 15:40:21Z serge.aumont $ -->
+<h1>Moderation</h1>
+[% TRY %]
-<hr>
-[% spool_message_ashtml %]
-<hr>
+ [% PROCESS 'msg00000.html' %]
-<pre>
-[% spool_message_asstring %]
-</pre>
-
+[% CATCH %]
+ ERROR! Type: [% error.type %]
+ Info: [% error.info %]
+[% END %]
<!-- end viewspool_message.tt2 -->
Modified: branches/sympa-6.2-branch/wwsympa/wwsympa.fcgi.in
(8491 => 8492)
--- branches/sympa-6.2-branch/wwsympa/wwsympa.fcgi.in 2013-01-30 06:43:02 UTC (rev 8491)
+++ branches/sympa-6.2-branch/wwsympa/wwsympa.fcgi.in 2013-01-30 06:54:37 UTC (rev 8492)
@@ -17541,7 +17541,6 @@
## deliver a view of a message identified by the spoolname and the messagekey
sub do_viewspool_message {
-
my $messagekey = $in{'messagekey'};
my $spoolname = $in{'spoolname'};
$param->{'spoolname'} = $spoolname;
@@ -17581,36 +17580,21 @@
}
$param->{'spool_message_asstring'} = $messages[0]->{'messageasstring'};
- return 1;
- # the following code is not executed because of a bug. It should be able to disply message as html....
-
-
- my $destination_dir = Site->viewmail_dir.'/spool/viewmail/'.$messagekey;
-
+ my $destination_dir = Site->viewmail_dir . '/spool/viewmail/' . $messagekey;
unless (-d $destination_dir) {
- &Archive::convert_single_msg_2_html ({'msg_as_string'=>$param->{'spool_message_asstring'},
- 'destination_dir'=>$destination_dir,
- 'attachement_url'=>"viewspool_message/$messagekey",
- 'list'=>$list,
- 'robot'=>$robot_id,
- 'messagekey'=>$messagekey,} );
-
-
+ Archive::convert_single_msg_2_html(
+ { 'msg_as_string' => $param->{'spool_message_asstring'},
+ 'destination_dir' => $destination_dir,
+ 'attachement_url' => "viewspool_message/$messagekey",
+ 'list' => $list,
+ 'robot' => $robot,
+ 'messagekey' => $messagekey,
+ }
+ );
}
+ tt2::add_include_path($destination_dir);
- unless (open (HTMLMAIL ,$destination_dir.'/msg00000.html')){
- &report::reject_report_web('intern','could not show message as html');
- &wwslog('info','do_viewspool_message : could not show message as html');
- return;
- }
-
- while (<HTMLMAIL>){
- $param->{'spool_message_ashtml'} .= $_;
-
- }
- close HTMLMAIL;
-
return 1;
}
@@ -17664,7 +17648,6 @@
## remove a message identified by the spoolname and the messagekey
sub do_viewspool_message_remove {
-
my $messagekey = $in{'messagekey'};
$param->{'messagekey'} = $messagekey;
my $spoolname = $in{'spoolname'};
@@ -17672,7 +17655,7 @@
my $status = 'ok';
$status = $in{'spool_status'} if ($in{'spool_status'});
$param->{'spool_status'} = $status;
-
+
&wwslog('info', 'do_viewspool_message_remove(spoolname = %s,messagekey = %s, status =%s)',$spoolname,$messagekey,$status);
unless ( $param->{'is_listmaster'}){
@@ -17692,7 +17675,12 @@
return;
}
-
+
+ # clean html view of the message
+ #FIXME: inconsistent removal.
+ my $dir = Site->viewmail_dir . '/spool/viewmail/' . $messagekey;
+ tools::remove_dir($dir) if -d $dir;
+
$param->{'removed'} = 1;
return 1;
}
--
A bug in Sympa? Quick! To the bug tracker!
<https://sourcesup.renater.fr/tracker/?atid=167&group_id=23&func=browse>
David Verdin
Services Applicatifs aux Utilisateurs
Tel. +33 2 23 23 69 71
GIP RENATER <http://www.renater.fr>
--
A bug in Sympa? Quick! To
the bug tracker!
 |
David Verdin
Services Applicatifs aux Utilisateurs
Tel. +33 2 23 23 69 71
GIP RENATER |
|
