From 84166df3718461e420b7d672df91bfd271814a03 Mon Sep 17 00:00:00 2001
From: tkikuchi <>
Date: Thu, 10 Feb 2005 03:57:00 +0000
Subject: Checkin for initial workaround for directry traverse flaw in
 private.py. This is for the people who think 'CVS should be safe' and not
 final solution.

---
 Mailman/Cgi/private.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 5fa5398e..cacc79cd 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -35,13 +35,16 @@ from Mailman.Logging.Syslog import syslog
 _ = i18n._
 i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
 
+SLASH = '/'
+
 
 
 def true_path(path):
     "Ensure that the path is safe by removing .."
-    path = path.replace('../', '')
-    path = path.replace('./', '')
-    return path[1:]
+    # Workaround for path traverse vulnerablity. Unsuccessfull attempt
+    # will be logged in logs/error, anyway.
+    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
+    return SLASH.join(parts)[1:]
 
 
 
-- 
cgit v1.2.3