[Fwd: Fwd: Re: [Mailman-Announce] Critical security update for Mailman 2.1.5 and earlier [origin: mailman-developers-owner@python.org]]
February 2005
1:09 a.m.
From: Axel Beckert <beckert@ecos.de> Subject: Re: [Mailman-Announce] Critical security update for Mailman 2.1.5 and earlier To: mailman-developers@python.org
I just want to share my experiences with the patch:
Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb:
There is a critical security flaw in Mailman 2.1.5 and earlier Mailman 2.1 versions
As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable, too.
I suspect that even 1.x versions of Mailman are vulnerable.
Is there any patch which complies with Python 1 syntax?
I think something like this should work, slightly tested using Python 1.5.2.
SLASH = '/'
def true_path(path): "Ensure that the path is safe by removing .." parts = string.split(path, SLASH) safe = filter(lambda x: x not in ('.', '..'), parts) if parts <> safe: # No easy "syslog()" function is necessarily available in # early Mailman versions. # # syslog('mischief', 'Directory traversal attack thwarted') pass return string.join(safe, SLASH)[1:]
-- Harald
7311
Age (days ago)
7316
Last active (days ago)
1 comments
2 participants
participants (2)
-
Barry Warsaw -
Harald Meland