diff options
| author | Lars Wirzenius <liw@iki.fi> | 2006-12-08 20:30:48 +0200 |
|---|---|---|
| committer | Lars Wirzenius <liw@iki.fi> | 2006-12-08 20:30:48 +0200 |
| commit | 0ba02928fc2ebf4a2cbfa0ce7441730630acb3a8 (patch) | |
| tree | eddc89853c2eff075fd2b85643c679b709c358b1 | |
| parent | 40fddc23dd3b446e0a80bd2865c6fc94105d77f4 (diff) | |
| download | eoc-0ba02928fc2ebf4a2cbfa0ce7441730630acb3a8.tar.gz | |
Applied patch for CVE-2006-5875.
| -rw-r--r-- | eoc.py | 40 |
1 files changed, 31 insertions, 9 deletions
@@ -4,7 +4,7 @@ This is a simple mailing list manager that mimicks the ezmlm-idx mail address commands. See manual page for more information. """ -VERSION = "1.2.3" +VERSION = "1.2.4" PLUGIN_INTERFACE_VERSION = "1" import getopt @@ -80,6 +80,34 @@ COMMANDS = SIMPLE_COMMANDS + SUB_COMMANDS + HASH_COMMANDS def md5sum_as_hex(s): return md5.new(s).hexdigest() + +def forkexec(argv, text): + """Run a command (given as argv array) and write text to its stdin""" + (r, w) = os.pipe() + pid = os.fork() + if pid == -1: + raise Exception("fork failed") + elif pid == 0: + os.dup2(r, 0) + os.close(r) + os.close(w) + fd = os.open("/dev/null", os.O_RDWR) + os.dup2(fd, 1) + os.dup2(fd, 2) + os.execvp(argv[0], argv) + sys.exit(1) + else: + os.close(r) + os.write(w, text) + os.close(w) + (pid2, exit) = os.waitpid(pid, 0) + if pid != pid2: + raise Exception("os.waitpid for %d returned for %d" % (pid, pid2)) + if exit != 0: + raise Exception("subprocess failed, exit=0x%x" % exit) + return exit + + environ = None def set_environ(new_environ): @@ -411,14 +439,8 @@ class MailingListManager: error("Error sending QMQP mail, mail probably not sent") sys.exit(1) else: - recipients = string.join(recipients, " ") - f = os.popen("%s -oi -f '%s' %s" % - (self.sendmail, - envelope_sender, - recipients), - "w") - f.write(text) - status = f.close() + status = forkexec([self.sendmail, "-oi", "-f", + envelope_sender] + recipienients, text) if status: error("%s returned %s, mail sending probably failed" % (self.sendmail, status)) |