[Mailman-Developers] 2.1b3+ private.py bug report

Michael Meltzer mjm@michaelmeltzer.com
Tue, 17 Sep 2002 01:54:15 -0400

mailman from CVS as of 8pm EDT 9/16/02

it looks like private.py has a interesting problem :-), Scrubber.py is very good at saving files with various MIME types, the
problem when you go to get them thought private.py they are returned with mime type of "text/html", The funny thing is for a jpeg
Internet Explorer will display correctly(I am assuming the extension is being used) but Netscape 4.7 and Opera 6.0 your get the
dance of binary text across the screen.

BTW, on a related issue, their is a small security issue, maybe, public archives seem to stright to the paths, any one who know the
system might be able to interject a php or shtml script into the archive and get, for example Apache, to think it a server side
executable, the default install from the BSD ports collect for Apache/php would do this. Might Want to give people a heads up in
INSTALL and have them tighten down their .htaccess file for this pathing, might even consider added a .htaccess to the default
install. I would hate to have mailman end up with a CERT with is really not being it's fault.