[Mailman-Developers] [ mailman-Patches-582567 ] No Archive Message

noreply@sourceforge.net noreply@sourceforge.net
Tue, 16 Jul 2002 17:36:14 -0700 

Patches item #582567, was opened at 2002-07-16 19:36
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=582567&group_id=103

Category: Web UI
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Susan Dridi (sdridi)
Assigned to: Nobody/Anonymous (nobody)
Summary: No Archive Message

Initial Comment:
If there are no messages in a private archive (a new list, for example), and if a user visits the archives, 
they are given a message with more path information than they need. For example, if I have a Mailman 
list called yippee and my user name is smith, the message displayed is:

No file /yippee/ (/evenhigherdirectory/higherdirectory/smith/archives/private/yippee/) 

The path is generated by the "safetruefilename" variable which comes from:

line 102 of Mailman/Cgi/private.py:
path = os.environ.get('PATH_INFO')
    true_filename = os.path.join(
        mm_cfg.PRIVATE_ARCHIVE_FILE_DIR,
        true_path(path))

and line 194 of Mailman/Cgi/private.py
except IOError:
        # Avoid cross-site scripting attacks
        safetruefilename = cgi.escape(true_filename)
        safepath = cgi.escape(path)
        print 'Content-type: text/html\n'

        print "<H3>Archive File Not Found</H3>"
        print "No file", safepath, '(%s)' % safetruefilename
    
This is more information than a user can deduce from the URL. Users of a private list have the right to 
view info posted to the list. Unauthorized users shouldn't be able to learn directory structure of the host. 
This is not even information that the admin needs to debug anything - the admin ought to know where the 
archives are stored!

By commenting out the variables after print "No file", safepath, the user is given a better info message, in 
this example, No file /yippee/

This may not be the best solution, but it works for my project:)

-Susan


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=582567&group_id=103