Checkin for initial workaround for directry traverse flaw in private.py.

This is for the people who think 'CVS should be safe' and not final solution.
author: tkikuchi <> 2005-02-10 03:57:00 +0000
committer: tkikuchi <> 2005-02-10 03:57:00 +0000
commit: 84166df3718461e420b7d672df91bfd271814a03 (patch)
tree: 4ab948e2f7ef439a5698beb830cd54d30999bb87 /Mailman/Cgi
parent: 558a5b013874b17380d93f0501a5b5a56c945e77 (diff)
download: mailman2-84166df3718461e420b7d672df91bfd271814a03.tar.gz
mailman2-84166df3718461e420b7d672df91bfd271814a03.tar.xz
mailman2-84166df3718461e420b7d672df91bfd271814a03.zip
1 files changed, 6 insertions, 3 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 5fa5398e..cacc79cd 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -35,13 +35,16 @@ from Mailman.Logging.Syslog import syslog
 _ = i18n._
 i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
 
+SLASH = '/'
+
 
 
 def true_path(path):
     "Ensure that the path is safe by removing .."
-    path = path.replace('../', '')
-    path = path.replace('./', '')
-    return path[1:]
+    # Workaround for path traverse vulnerablity. Unsuccessfull attempt
+    # will be logged in logs/error, anyway.
+    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
+    return SLASH.join(parts)[1:]
author	tkikuchi <>	2005-02-10 03:57:00 +0000
committer	tkikuchi <>	2005-02-10 03:57:00 +0000
commit	84166df3718461e420b7d672df91bfd271814a03 (patch)
tree	4ab948e2f7ef439a5698beb830cd54d30999bb87 /Mailman/Cgi
parent	558a5b013874b17380d93f0501a5b5a56c945e77 (diff)
download	mailman2-84166df3718461e420b7d672df91bfd271814a03.tar.gz mailman2-84166df3718461e420b7d672df91bfd271814a03.tar.xz mailman2-84166df3718461e420b7d672df91bfd271814a03.zip