[Bug 1661810] [NEW] Certain Malformed list names throw TypeError: in roster CGI

Mark Sapiro mark at msapiro.net
Sat Feb 4 01:07:25 EST 2017

Public bug reported:

We've seen attacks visiting URLs such as
dev%2522%252dswffelqj%252d%2522>. The list name after unescaping is
python-dev%22%2dswffelqj%2d%22 which websafes to the same thing.

Ultimately, this calls
    error_page(_('No such list <em>%(safelistname)s</em>'))

which in turn calls
    error_page_doc(doc, errmsg)

with the translated error message. The problem is error_page_doc is
defined as

def error_page_doc(doc, errmsg, *args):

even though it is never called with any additional args. It then tries
to interpolate the (empty) args into the errmsg string which in this
case contains a '%' an results in

TypeError: not enough arguments for format string

The solution, since error_page_doc is never called with extra arguments
is to just drop the *args and the attempted interpolation.

** Affects: mailman
     Importance: Low
     Assignee: Mark Sapiro (msapiro)
         Status: In Progress

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Certain Malformed list names throw TypeError: in roster CGI

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list