On Wed, 2005-02-16 at 01:15 +0000, Dominic Hargreaves wrote: > On Tue, Feb 15, 2005 at 08:11:54PM -0500, Jim Popovitch wrote: > > > Why was this applied to Mailman v2.0.13? According to > > http://www.list.org/security.html it only affects v2.1 to v2.1.16 > > AFAICT the information on that page is incomplete. > > http://rhn.redhat.com/errata/RHSA-2005-136.html > http://www.debian.org/security/2005/dsa-674 > > both have updates for the 2.0 series. OK... Here is what Mailman 2.0 looked like (prior to CAN-2005-0202) ^L def true_path(path): "Ensure that the path is safe by removing .." path = string.replace(path, "../", "") path = string.replace(path, "./", "") <-- Double Quotes return path[1:] Here is what Mailman 2.1.5 looked like (prior to CAN-2005-0202). ^L def true_path(path): "Ensure that the path is safe by removing .." path = path.replace('../', '') path = path.replace('./', '') <-- Single Quotes return path[1:] Here is what Mailman developers themselves recommend as a fix to the 2.1 series for CAN-2005-0202, in addition to saying that 2.0.x is unaffected. SLASH = '/' ^L def true_path(path): "Ensure that the path is safe by removing .." parts = path.split(SLASH) safe = [x for x in parts if x not in ('.', '..')] if parts <> safe: syslog('mischief', 'Directory traversal attack thwarted') return SLASH.join(safe)[1:] Here is what is now in FedoraLegacy RH73 release 2.0.13-7 ^L def true_path(path): "Ensure that the path is safe by removing .." path = re.sub('\.+/+', '', path) return path[1:] So, why so much difference between what we are releasing and what is being recommended? (not that Mailman's recommendations are anything like the past versions) Also, what is "re.sub" ? Glad there is a fix, just curious to know the reasoning and path to resolution. Thanks, -Jim P. -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
