diff options
author | Mark Sapiro <mark@msapiro.net> | 2015-03-27 14:12:16 -0700 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2015-03-27 14:12:16 -0700 |
commit | d3124395a3abfe0ccd9f1c37096292bfbe939a85 (patch) | |
tree | b467552f192b40d48b13697a5d0ba1e407136abf /Mailman/Utils.py | |
parent | f7f85e8b85b027a919705895f80b63c5d03d727c (diff) | |
download | mailman2-d3124395a3abfe0ccd9f1c37096292bfbe939a85.tar.gz mailman2-d3124395a3abfe0ccd9f1c37096292bfbe939a85.tar.xz mailman2-d3124395a3abfe0ccd9f1c37096292bfbe939a85.zip |
Fix for path traversal vulnerability.
Diffstat (limited to '')
-rw-r--r-- | Mailman/Utils.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 13c4ed8b..1cd1cdb7 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -100,6 +100,12 @@ def list_exists(listname): # # The former two are for 2.1alpha3 and beyond, while the latter two are # for all earlier versions. + # + # But first ensure the list name doesn't contain a path traversal + # attack. + if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: + syslog('mischief', 'Hostile listname: %s', listname) + return False basepath = Site.get_listpath(listname) for ext in ('.pck', '.pck.last', '.db', '.db.last'): dbfile = os.path.join(basepath, 'config' + ext) |