Patches item #582567, was opened at 2002-07-16 19:36 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=582567&group_id=103

Category: Web UI Group: None Status: Open Resolution: None Priority: 5 Submitted By: Susan Dridi (sdridi) Assigned to: Nobody/Anonymous (nobody) Summary: No Archive Message

Initial Comment: If there are no messages in a private archive (a new list, for example), and if a user visits the archives, they are given a message with more path information than they need. For example, if I have a Mailman list called yippee and my user name is smith, the message displayed is:

No file /yippee/ (/evenhigherdirectory/higherdirectory/smith/archives/private/yippee/)

The path is generated by the "safetruefilename" variable which comes from:

line 102 of Mailman/Cgi/private.py: path = os.environ.get('PATH_INFO') true_filename = os.path.join( mm_cfg.PRIVATE_ARCHIVE_FILE_DIR, true_path(path))

and line 194 of Mailman/Cgi/private.py except IOError: # Avoid cross-site scripting attacks safetruefilename = cgi.escape(true_filename) safepath = cgi.escape(path) print 'Content-type: text/html\n'

    print "<H3>Archive File Not Found</H3>"
    print "No file", safepath, '(%s)' % safetruefilename

This is more information than a user can deduce from the URL. Users of a private list have the right to view info posted to the list. Unauthorized users shouldn't be able to learn directory structure of the host. This is not even information that the admin needs to debug anything - the admin ought to know where the archives are stored!

By commenting out the variables after print "No file", safepath, the user is given a better info message, in this example, No file /yippee/

This may not be the best solution, but it works for my project:)

-Susan

You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=582567&group_id=103