diff options
-rw-r--r-- | Mailman/Cgi/private.py | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py index 5fa5398e..cacc79cd 100644 --- a/Mailman/Cgi/private.py +++ b/Mailman/Cgi/private.py @@ -35,13 +35,16 @@ from Mailman.Logging.Syslog import syslog _ = i18n._ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE) +SLASH = '/' + def true_path(path): "Ensure that the path is safe by removing .." - path = path.replace('../', '') - path = path.replace('./', '') - return path[1:] + # Workaround for path traverse vulnerablity. Unsuccessfull attempt + # will be logged in logs/error, anyway. + parts = [x for x in path.split(SLASH) if x not in ('.', '..')] + return SLASH.join(parts)[1:] |