Applied patch for CVE-2006-5875.

[eoc.git] / eoc.py

diff --git a/eoc.py b/eoc.py
index 124cac2f5bb06f10aaa23c50bf1d50d3d3f66a8c..f855b36333737e77f1599a551ba107f9732ded1c 100644 (file)
--- a/eoc.py
+++ b/eoc.py
@@ -4,7 +4,7 @@ This is a simple mailing list manager that mimicks the ezmlm-idx mail
 address commands. See manual page for more information.
 """
 
-VERSION = "1.2.1"
+VERSION = "1.2.4"
 PLUGIN_INTERFACE_VERSION = "1"
 
 import getopt
@@ -80,6 +80,34 @@ COMMANDS = SIMPLE_COMMANDS + SUB_COMMANDS + HASH_COMMANDS
 def md5sum_as_hex(s):
     return md5.new(s).hexdigest()
 
+
+def forkexec(argv, text):
+    """Run a command (given as argv array) and write text to its stdin"""
+    (r, w) = os.pipe()
+    pid = os.fork()
+    if pid == -1:
+        raise Exception("fork failed")
+    elif pid == 0:
+        os.dup2(r, 0)
+        os.close(r)
+        os.close(w)
+        fd = os.open("/dev/null", os.O_RDWR)
+        os.dup2(fd, 1)
+        os.dup2(fd, 2)
+        os.execvp(argv[0], argv)
+        sys.exit(1)
+    else:
+        os.close(r)
+        os.write(w, text)
+        os.close(w)
+        (pid2, exit) = os.waitpid(pid, 0)
+        if pid != pid2:
+            raise Exception("os.waitpid for %d returned for %d" % (pid, pid2))
+        if exit != 0:
+            raise Exception("subprocess failed, exit=0x%x" % exit)
+        return exit
+
+
 environ = None
 
 def set_environ(new_environ):
@@ -411,16 +439,10 @@ class MailingListManager:
                     error("Error sending QMQP mail, mail probably not sent")
                     sys.exit(1)
             else:
-                recipients = string.join(recipients, " ")
-                f = os.popen("%s -oi -f '%s' %s" % 
-                                 (self.sendmail, 
-                                  envelope_sender, 
-                                  recipients),
-                             "w")
-                f.write(text)
-                status = f.close()
-                if status != 0:
-                    error("%s returned %d, mail sending probably failed" %
+                status = forkexec([self.sendmail, "-oi", "-f", 
+                                   envelope_sender] + recipienients, text)
+                if status:
+                    error("%s returned %s, mail sending probably failed" %
                            (self.sendmail, status))
                     sys.exit((status >> 8) & 0xff)
         else:
@@ -475,6 +497,8 @@ class MailingList:
 
     def read_stdin(self):
         data = sys.stdin.read()
+        # Convert CRLF to plain LF
+        data = "\n".join(data.split("\r\n"))
         # Skip Unix mbox "From " mail start indicator
         if data[:5] == "From ":
             data = string.split(data, "\n", 1)[1]
@@ -527,7 +551,7 @@ class MailingList:
         
             return "\n".join(headers) + "\n\n" + body
         except:
-            error("Cannot MIME encode header, using original ones, sorry")
+            warning("Cannot MIME encode header, using original ones, sorry")
             return text
 
     def template(self, template_name, dict):
@@ -904,6 +928,10 @@ class MailingList:
         return text + self.template("footer", {})
 
     def send_mail_to_subscribers(self, text):
+        text = self.remove_some_headers(text, ["list-id", "list-help",
+                                               "list-unsubscribe",
+                                               "list-subscribe", "list-post",
+                                               "list-owner", "precedence"])
         text = self.headers_to_add() + self.list_headers() + \
                self.headers_to_remove(text)
         text = self.append_footer(text)