[Mailman-Users] Re: [Mailman-Announce] Critical security update for Mailman 2.1.5 and earlier

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Fri Feb 11 02:06:55 CET 2005


> As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable,
> too. (As the subject of the announcement also suggested.)

> Which unfortunately only works with Python 2. 
> Python 1 (respective at least 1.5.2) complains about syntax
> errors. (Which, in fact, also helps against the vulnerability by
> displaying the "You've found a Mailman bug" page. ;-)

Change the true_path function as:

def true_path(path):
     "Ensure that the path is safe by removing .."
     import re
     path = re.sub('\.+/+', '', path)
     return path[1:]

and try. Sorry but I have no 2.0.x around but only found a machine which 
have working Python 1.x installed.

Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp

More information about the Mailman-Users mailing list