Index: head/japanese/mailman/Makefile
===================================================================
--- head/japanese/mailman/Makefile	(revision 478434)
+++ head/japanese/mailman/Makefile	(revision 478435)
@@ -1,185 +1,185 @@
 # Created by: Sunagawa Koji <koj@ofug.net>
 # $FreeBSD$
 
 PORTNAME=	mailman
 PORTVERSION=	2.1.14.j7
-PORTREVISION=	5
+PORTREVISION=	6
 PORTEPOCH=	1
 CATEGORIES=	japanese mail
 MASTER_SITES=	https://docs.python.jp/contrib/mailman/_static/ \
 		LOCAL/tota/${PORTNAME}
 DISTNAME=	${PORTNAME}-${PORTVERSION:S/.j/+j/}
 DIST_SUBDIR=	mailman
 
 MAINTAINER=	tota@FreeBSD.org
 COMMENT=	Japanized mailman which is a mailing list manager with a web front-end
 
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/gnu-COPYING-GPL
 
 CONFLICTS=	mailman-2.1.*
 
 PORTSCOUT=	limit:.*\.j\d+$$
 
 USES=		autoreconf gettext python:2.7 shebangfix tar:tgz
 USE_RC_SUBR=	mailman
 
 GNU_CONFIGURE=	yes
 GNU_CONFIGURE_PREFIX=	${MAILMANDIR}
 CONFIGURE_ARGS+=--with-python=${PYTHON_CMD} \
 		--with-username=${MM_USERNAME} \
 		--with-groupname=${MM_GROUPNAME} \
 		--with-mail-gid=${MAIL_GID} --with-cgi-gid=${CGI_GID} \
 		--with-permcheck=no
 
 # The Mailman port supports a number of variables that may be tweaked at
 # build time.  Getting the values of some of them right is crucial!
 #
 MM_USERNAME?=	mailman
 MM_USERID?=	91
 MM_GROUPNAME?=	${MM_USERNAME}
 MM_GROUPID?=	${MM_USERID}
 MM_DIR?=	mailman
 CGI_GID?=	www
 IMGDIR?=	www/icons
 #
 # End of user-configurable variables.
 
 USERS=		${MM_USERNAME}
 GROUPS=		${MM_GROUPNAME}
 
 MAILMANDIR=	${PREFIX}/${MM_DIR}
 PLIST_SUB=	MMDIR=${MM_DIR} IMGDIR=${IMGDIR}
 SUB_FILES=	pkg-message pkg-install pkg-deinstall
 SUB_LIST=	MAILMANDIR=${MAILMANDIR} USER=${MM_USERNAME} GROUP=${MM_GROUPNAME}
 
 SHEBANG_FILES=	bin/msgfmt.py \
 		tests/onebounce.py \
 		tests/fblast.py
 
 IMGFILES=	PythonPowered.png mailman.jpg mm-icon.png
 
 PORTDOCS=	ACKNOWLEDGMENTS BUGS FAQ INSTALL NEWS NEWS.japan.utf-8 \
 		README README-I18N.en README.CONTRIB README.NETSCAPE \
 		README.USERAGENT README.japan.utf-8 STYLEGUIDE.txt \
 		TODO UPGRADING \
 		mailman-admin.txt \
 		mailman-install.txt \
 		mailman-member.txt \
 		FreeBSD-post-install-notes
 
 OPTIONS_DEFINE=	DOCS NAMAZU2
 
 OPTIONS_SINGLE=	MTA
 OPTIONS_SINGLE_MTA=	SENDMAIL EXIM4 POSTFIX COURIER
 
 NAMAZU2_DESC=	Make private archives searchable with namazu2
 MTA_DESC=	Integrate with which MTA?
 SENDMAIL_DESC=	for use with sendmail
 EXIM4_DESC=	for use with exim4
 POSTFIX_DESC=	for use with postfix
 COURIER_DESC=	for use with courier
 
 OPTIONS_DEFAULT=	SENDMAIL
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MSENDMAIL}
 MAIL_GID?=	mailnull
 .endif
 
 .if ${PORT_OPTIONS:MEXIM4}
 MAIL_GID?=	mail
 .endif
 
 .if ${PORT_OPTIONS:MPOSTFIX}
 RUN_DEPENDS+=	${LOCALBASE}/sbin/postconf:mail/postfix
 BUILD_DEPENDS+=	${LOCALBASE}/sbin/postconf:mail/postfix
 MAIL_GID?=	mailman
 EXTRA_PATCHES+=	${FILESDIR}/postfix-verp.diff
 .endif
 
 .if ${PORT_OPTIONS:MCOURIER}
 MAIL_GID?=	courier
 .endif
 
 .if ${PORT_OPTIONS:MNAMAZU2}
 RUN_DEPENDS+=	mknmz:japanese/namazu2
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-Mailman_Cgi_private.py
 .endif
 
 pre-everything::
 	@${ECHO} ""
 	@${ECHO} "You may change the following build options:"
 	@${ECHO} ""
 	@${ECHO} "Option		Default Value	Description"
 	@${ECHO} "-------------	---------------	------------------------------------------------"
 	@${ECHO} "MM_USERNAME	mailman		The username of the Mailman user."
 	@${ECHO} "MM_USERID	91		The user ID of the Mailman user."
 	@${ECHO} "MM_GROUPNAME	mailman		The group to which the Mailman user will belong."
 	@${ECHO} "MM_GROUPID	\$$MM_USERID	The group ID for the Mailman user."
 	@${ECHO} "MM_DIR		mailman		Mailman will be installed in"
 	@${ECHO} "				${PREFIX}/${MM_DIR}."
 	@${ECHO} "CGI_GID		www		The group name or id under which your web"
 	@${ECHO} "				server executes CGI scripts."
 	@${ECHO} "IMGDIR		www/icons	Icon images will be installed in"
 	@${ECHO} "				${PREFIX}/${IMGDIR}."
 	@${ECHO} ""
 
 post-patch:
 	@${REINPLACE_CMD} -e 's#%%LOCALBASE%%#${LOCALBASE}#g' \
 	  ${WRKSRC}/Mailman/Defaults.py.in
 	@${REINPLACE_CMD} -e 's/^0,5,10/#&/' ${WRKSRC}/cron/crontab.in.in
 
 pre-configure:
 	@${ECHO} "DEFAULT_SERVER_LANGUAGE = 'ja'" >> ${WRKSRC}/Mailman/mm_cfg.py.dist.in
 	@${ECHO} "GLOBAL_PIPELINE.insert(1, 'iso2022jpfix')" >> ${WRKSRC}/Mailman/mm_cfg.py.dist.in
 .if ${PORT_OPTIONS:MPOSTFIX}
 	@${ECHO} "MTA = 'Postfix'" >> ${WRKSRC}/Mailman/mm_cfg.py.dist.in
 .endif
 
 post-install:
 .for i in admin admindb confirm create edithtml listinfo options private \
 	rmlist roster subscribe
 	${STRIP_CMD} ${STAGEDIR}${MAILMANDIR}/cgi-bin/${i}
 .endfor
 	${STRIP_CMD} ${STAGEDIR}${MAILMANDIR}/mail/mailman
 	${STRIP_CMD} ${STAGEDIR}${MAILMANDIR}/pythonlib/pykf.so
 # Compile additional Python scripts:
 .for dir in Mailman bin pythonlib
 	(cd ${STAGEDIR}${MAILMANDIR} \
 	    && ${PYTHON_CMD} ${PYTHON_LIBDIR}/compileall.py \
 	    -f -d ${MAILMANDIR}/${dir} ${dir})
 .endfor
 	@${RM} ${STAGEDIR}${MAILMANDIR}/pythonlib/*.egg-info
 	# mm_cfg.py is handled by pkg-plist:
 	@${RM} ${STAGEDIR}${MAILMANDIR}/Mailman/mm_cfg.py
 	@${RM} ${STAGEDIR}${MAILMANDIR}/Mailman/mm_cfg.pyc
 	@${MKDIR} ${STAGEDIR}${PREFIX}/${IMGDIR}
 .for imgfile in ${IMGFILES}
 	${CP} ${STAGEDIR}${MAILMANDIR}/icons/${imgfile} ${STAGEDIR}${PREFIX}/${IMGDIR}
 .endfor
 	uudecode -p ${FILESDIR}/powerlogo.gif.uue > \
 	  ${STAGEDIR}${PREFIX}/${IMGDIR}/powerlogo.gif
 .if ${PORT_OPTIONS:MDOCS}
 	${CP} -R ${WRKSRC}/doc/* ${WRKSRC}/
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${FILESDIR}/FreeBSD-post-install-notes ${STAGEDIR}${DOCSDIR}
 .for docfile in ${PORTDOCS:NFreeBSD-post-install-notes}
 	${INSTALL_DATA} ${WRKSRC}/${docfile} ${STAGEDIR}${DOCSDIR}
 .endfor
 .endif
 	@${MKDIR} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}
 	${ECHO} "This marker file ensures that Python's upgrade-site-packages handles ${PKGNAME}." >${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/mailman-info.txt
 .if ${PORT_OPTIONS:MPOSTFIX}
 	@if [ "x`${LOCALBASE}/sbin/postconf -h myhostname`" != "xlocalhost" ]; then \
 		${ECHO_CMD} ""; \
 		${ECHO_CMD} "Your Postfix hostname is non-default."; \
 		${ECHO_CMD} -n "You must add \"SMTPHOST = "; \
 		${ECHO_CMD} -n `${LOCALBASE}/sbin/postconf -h myhostname`; \
 		${ECHO_CMD} "\" to the bottom of mm_cfg.py."; \
 		${ECHO_CMD} ""; \
 		fi
 .endif
 
 .include <bsd.port.mk>
Index: head/japanese/mailman/files/patch-Mailman_Utils.py
===================================================================
--- head/japanese/mailman/files/patch-Mailman_Utils.py	(revision 478434)
+++ head/japanese/mailman/files/patch-Mailman_Utils.py	(revision 478435)
@@ -1,117 +1,148 @@
 --- Mailman/Utils.py.orig	2011-12-11 07:56:23 UTC
 +++ Mailman/Utils.py
 @@ -1,4 +1,4 @@
 -# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
 +# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
  #
  # This program is free software; you can redistribute it and/or
  # modify it under the terms of the GNU General Public License
 @@ -93,6 +93,12 @@ def list_exists(listname):
      #
      # The former two are for 2.1alpha3 and beyond, while the latter two are
      # for all earlier versions.
 +    #
 +    # But first ensure the list name doesn't contain a path traversal
 +    # attack.
 +    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
 +        syslog('mischief', 'Hostile listname: %s', listname)
 +        return False
      basepath = Site.get_listpath(listname)
      for ext in ('.pck', '.pck.last', '.db', '.db.last'):
          dbfile = os.path.join(basepath, 'config' + ext)
-@@ -952,6 +958,7 @@ _badwords = [
+@@ -246,10 +252,28 @@ CRNLpat = re.compile(r'[^\x21-\x7e]')
+ def GetPathPieces(envar='PATH_INFO'):
+     path = os.environ.get(envar)
+     if path:
++        remote = os.environ.get('HTTP_FORWARDED_FOR',
++                 os.environ.get('HTTP_X_FORWARDED_FOR',
++                 os.environ.get('REMOTE_ADDR',
++                                'unidentified origin')))
+         if CRNLpat.search(path):
+             path = CRNLpat.split(path)[0]
+-            syslog('error', 'Warning: Possible malformed path attack.')
+-        return [p for p in path.split('/') if p]
++            syslog('error',
++                'Warning: Possible malformed path attack domain=%s remote=%s',
++                   get_domain(),
++                   remote)
++        # Check for listname injections that won't be websafed.
++        pieces = [p for p in path.split('/') if p]
++        # Get the longest listname or 20 if none.
++        if list_names():
++            longest = max([len(x) for x in list_names()])
++        else:
++            longest = 20
++        if pieces and len(pieces[0]) > longest:
++            syslog('mischief',
++               'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
++            pieces[0] = pieces[0][:longest] + '...'
++        return pieces
+     return None
+ 
+ 
+@@ -952,6 +976,7 @@ _badwords = [
      '<meta',
      '<object',
      '<script',
 +    '@keyframes',
      r'\bj(?:ava)?script\b',
      r'\bvbs(?:cript)?\b',
      r'\bdomactivate\b',
-@@ -968,12 +975,14 @@ _badwords = [
+@@ -968,12 +993,14 @@ _badwords = [
      r'\bon(?:de)?activate\b',
      r'\bon(?:after|before)print\b',
      r'\bon(?:after|before)update\b',
 +    r'\b(?:on)?animation(?:end|iteration|start)\b',
      r'\bonbefore(?:(?:de)?activate|copy|cut|editfocus|paste)\b',
      r'\bonbeforeunload\b',
      r'\bonbegin\b',
      r'\bonblur\b',
      r'\bonbounce\b',
      r'\bonbroadcast\b',
 +    r'\boncanplay(?:through)?\b',
      r'\bon(?:cell)?change\b',
      r'\boncheckboxstatechange\b',
      r'\bon(?:dbl)?click\b',
-@@ -989,7 +998,9 @@ _badwords = [
+@@ -989,7 +1016,9 @@ _badwords = [
      r'\bondrag(?:drop|end|enter|exit|gesture|leave|over)?\b',
      r'\bondragstart\b',
      r'\bondrop\b',
 -    r'\bonend\b',
 +    r'\bondurationchange\b',
 +    r'\bonemptied\b',
 +    r'\bonend(?:ed)?\b',
      r'\bonerror(?:update)?\b',
      r'\bonfilterchange\b',
      r'\bonfinish\b',
-@@ -999,21 +1010,28 @@ _badwords = [
+@@ -999,21 +1028,28 @@ _badwords = [
      r'\bonkey(?:up|down|press)\b',
      r'\bonlayoutcomplete\b',
      r'\bon(?:un)?load\b',
 +    r'\bonloaded(?:meta)?data\b',
 +    r'\bonloadstart\b',
      r'\bonlosecapture\b',
      r'\bonmedia(?:complete|error)\b',
 +    r'\bonmessage\b',
      r'\bonmouse(?:down|enter|leave|move|out|over|up|wheel)\b',
      r'\bonmove(?:end|start)?\b',
      r'\bon(?:off|on)line\b',
 +    r'\bonopen\b',
      r'\bonoutofsync\b',
      r'\bonoverflow(?:changed)?\b',
      r'\bonpage(?:hide|show)\b',
      r'\bonpaint\b',
      r'\bonpaste\b',
      r'\bonpause\b',
 +    r'\bonplay(?:ing)?\b',
 +    r'\bonpopstate\b',
      r'\bonpopup(?:hidden|hiding|showing|shown)\b',
      r'\bonprogress\b',
      r'\bonpropertychange\b',
      r'\bonradiostatechange\b',
 +    r'\bonratechange\b',
      r'\bonreadystatechange\b',
      r'\bonrepeat\b',
      r'\bonreset\b',
-@@ -1023,19 +1041,30 @@ _badwords = [
+@@ -1023,19 +1059,30 @@ _badwords = [
      r'\bonrow(?:delete|enter|exit|inserted)\b',
      r'\bonrows(?:delete|enter|inserted)\b',
      r'\bonscroll\b',
 -    r'\bonseek\b',
 +    r'\bonsearch\b',
 +    r'\bonseek(?:ed|ing)?\b',
      r'\bonselect(?:start)?\b',
      r'\bonselectionchange\b',
 +    r'\bonshow\b',
      r'\bonstart\b',
 +    r'\bonstalled\b',
      r'\bonstop\b',
 +    r'\bonstorage\b',
      r'\bonsubmit\b',
 +    r'\bonsuspend\b',
      r'\bonsync(?:from|to)preference\b',
      r'\bonsyncrestored\b',
      r'\bontext\b',
 -    r'\bontimeerror\b',
 +    r'\bontime(?:error|update)\b',
 +    r'\bontoggle\b',
 +    r'\bontouch(?:cancel|end|move|start)\b',
      r'\bontrackchange\b',
 +    r'\b(?:on)?transitionend\b',
      r'\bonunderflow\b',
      r'\bonurlflip\b',
 +    r'\bonvolumechange\b',
 +    r'\bonwaiting\b',
 +    r'\bonwheel\b',
      r'\bseeksegmenttime\b',
      r'\bsvgabort\b',
      r'\bsvgerror\b',