[Pkg-mailman-hackers] Bug#974944: mailman3-web won't allow single quote in postorius password

peterc at lists.sel4.systems peterc at lists.sel4.systems
Mon Nov 16 21:19:25 GMT 2020 

Package: mailman3-web
Version: 0+20180916-8
Severity: normal

Dear Maintainer,

I ran 
   dpkg-reconfigure mailman3-web
and created the Postorius superuser, using a password with a quotation mark
in it.
Instead of initialising the user, it threw a python exception:

I think the setup should sanitise its arguments a bit better.


Traceback (most recent call last):
  File "/usr/bin/django-admin", line 21, in <module>
    management.execute_from_command_line()
  File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 364, in execute_from_command_line
    utility.execute()
  File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 356, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/lib/python3/dist-packages/django/core/management/base.py", line 283, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/lib/python3/dist-packages/django/core/management/base.py", line 330, in execute
    output = self.handle(*args, **options)
  File "/usr/lib/python3/dist-packages/django/core/management/commands/shell.py", line 95, in handle
    exec(options['command'])
  File "<string>", line 1
    from django.contrib.auth.models import User;               User.objects.filter(username='seL4').delete();               User.objects.create_superuser('seL4',               'root at localhost', 'a dog's life')
                                                                                                                                                                                                        ^
SyntaxError: invalid syntax


-- System Information:
Debian Release: 10.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mailman3-web depends on:
ii  dbconfig-sqlite3           2.0.11+deb10u1
ii  debconf [debconf-2.0]      1.5.71
ii  lsb-base                   10.2019051400
ii  node-less                  1.6.3~dfsg-3
ii  python3                    3.7.3-1
ii  python3-django-hyperkitty  1.2.2-1
ii  python3-django-postorius   1.2.4-1
ii  python3-psycopg2           2.7.7-1
ii  python3-whoosh             2.7.4+git6-g9134ad92-4
ii  sassc                      3.5.0-1
ii  ucf                        3.0038+nmu1
ii  uwsgi                      2.0.18-1
ii  uwsgi-plugin-python3       2.0.18-1

Versions of packages mailman3-web recommends:
ii  libapache2-mod-proxy-uwsgi  2.4.38-3+deb10u4

Versions of packages mailman3-web suggests:
ii  postgresql  11+200+deb10u4

-- debconf information excluded

More information about the Pkg-mailman-hackers mailing list