From owner-svn-ports-all@freebsd.org  Tue Sep  4 03:01:23 2018
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0465FD55A4;
 Tue,  4 Sep 2018 03:01:22 +0000 (UTC)
 (envelope-from tota@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A600182E68;
 Tue,  4 Sep 2018 03:01:22 +0000 (UTC)
 (envelope-from tota@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A0EC6113AA;
 Tue,  4 Sep 2018 03:01:22 +0000 (UTC)
 (envelope-from tota@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8431MOv069779;
 Tue, 4 Sep 2018 03:01:22 GMT (envelope-from tota@FreeBSD.org)
Received: (from tota@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8431Mrs069777;
 Tue, 4 Sep 2018 03:01:22 GMT (envelope-from tota@FreeBSD.org)
Message-Id: <201809040301.w8431Mrs069777@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tota set sender to
 tota@FreeBSD.org using -f
From: TAKATSU Tomonari <tota@FreeBSD.org>
Date: Tue, 4 Sep 2018 03:01:22 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-branches@freebsd.org
Subject: svn commit: r478924 - in branches/2018Q3/japanese/mailman: . files
X-SVN-Group: ports-branches
X-SVN-Commit-Author: tota
X-SVN-Commit-Paths: in branches/2018Q3/japanese/mailman: . files
X-SVN-Commit-Revision: 478924
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2018 03:01:23 -0000

Author: tota
Date: Tue Sep  4 03:01:22 2018
New Revision: 478924
URL: https://svnweb.freebsd.org/changeset/ports/478924

Log:
  MFH: r478435
  
  - Apply CVE-2018-13796 patch
  
  PR:		230183
  Submitted by:	Yasuhito FUTATSUKI
  Security:	CVE-2018-13796
  Approved by:	ports-secteam (miwi@)

Modified:
  branches/2018Q3/japanese/mailman/Makefile
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Utils.py
Directory Properties:
  branches/2018Q3/   (props changed)

Modified: branches/2018Q3/japanese/mailman/Makefile
==============================================================================
--- branches/2018Q3/japanese/mailman/Makefile	Tue Sep  4 00:57:19 2018	(r478923)
+++ branches/2018Q3/japanese/mailman/Makefile	Tue Sep  4 03:01:22 2018	(r478924)
@@ -3,7 +3,7 @@
 
 PORTNAME=	mailman
 PORTVERSION=	2.1.14.j7
-PORTREVISION=	5
+PORTREVISION=	6
 PORTEPOCH=	1
 CATEGORIES=	japanese mail
 MASTER_SITES=	https://docs.python.jp/contrib/mailman/_static/ \

Modified: branches/2018Q3/japanese/mailman/files/patch-Mailman_Utils.py
==============================================================================
--- branches/2018Q3/japanese/mailman/files/patch-Mailman_Utils.py	Tue Sep  4 00:57:19 2018	(r478923)
+++ branches/2018Q3/japanese/mailman/files/patch-Mailman_Utils.py	Tue Sep  4 03:01:22 2018	(r478924)
@@ -19,7 +19,38 @@
      basepath = Site.get_listpath(listname)
      for ext in ('.pck', '.pck.last', '.db', '.db.last'):
          dbfile = os.path.join(basepath, 'config' + ext)
-@@ -952,6 +958,7 @@ _badwords = [
+@@ -246,10 +252,28 @@ CRNLpat = re.compile(r'[^\x21-\x7e]')
+ def GetPathPieces(envar='PATH_INFO'):
+     path = os.environ.get(envar)
+     if path:
++        remote = os.environ.get('HTTP_FORWARDED_FOR',
++                 os.environ.get('HTTP_X_FORWARDED_FOR',
++                 os.environ.get('REMOTE_ADDR',
++                                'unidentified origin')))
+         if CRNLpat.search(path):
+             path = CRNLpat.split(path)[0]
+-            syslog('error', 'Warning: Possible malformed path attack.')
+-        return [p for p in path.split('/') if p]
++            syslog('error',
++                'Warning: Possible malformed path attack domain=%s remote=%s',
++                   get_domain(),
++                   remote)
++        # Check for listname injections that won't be websafed.
++        pieces = [p for p in path.split('/') if p]
++        # Get the longest listname or 20 if none.
++        if list_names():
++            longest = max([len(x) for x in list_names()])
++        else:
++            longest = 20
++        if pieces and len(pieces[0]) > longest:
++            syslog('mischief',
++               'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
++            pieces[0] = pieces[0][:longest] + '...'
++        return pieces
+     return None
+ 
+ 
+@@ -952,6 +976,7 @@ _badwords = [
      '<meta',
      '<object',
      '<script',
@@ -27,7 +58,7 @@
      r'\bj(?:ava)?script\b',
      r'\bvbs(?:cript)?\b',
      r'\bdomactivate\b',
-@@ -968,12 +975,14 @@ _badwords = [
+@@ -968,12 +993,14 @@ _badwords = [
      r'\bon(?:de)?activate\b',
      r'\bon(?:after|before)print\b',
      r'\bon(?:after|before)update\b',
@@ -42,7 +73,7 @@
      r'\bon(?:cell)?change\b',
      r'\boncheckboxstatechange\b',
      r'\bon(?:dbl)?click\b',
-@@ -989,7 +998,9 @@ _badwords = [
+@@ -989,7 +1016,9 @@ _badwords = [
      r'\bondrag(?:drop|end|enter|exit|gesture|leave|over)?\b',
      r'\bondragstart\b',
      r'\bondrop\b',
@@ -53,7 +84,7 @@
      r'\bonerror(?:update)?\b',
      r'\bonfilterchange\b',
      r'\bonfinish\b',
-@@ -999,21 +1010,28 @@ _badwords = [
+@@ -999,21 +1028,28 @@ _badwords = [
      r'\bonkey(?:up|down|press)\b',
      r'\bonlayoutcomplete\b',
      r'\bon(?:un)?load\b',
@@ -82,7 +113,7 @@
      r'\bonreadystatechange\b',
      r'\bonrepeat\b',
      r'\bonreset\b',
-@@ -1023,19 +1041,30 @@ _badwords = [
+@@ -1023,19 +1059,30 @@ _badwords = [
      r'\bonrow(?:delete|enter|exit|inserted)\b',
      r'\bonrows(?:delete|enter|inserted)\b',
      r'\bonscroll\b',