[Mailman-Users] mailman upgrade -> bug

Olivier Nibart olivier at naya-tec.com
Fri Feb 18 11:46:16 CET 2005


I've sent a mail to the package maintener 3 days ago, with no answer for 
the moment.
As Brad said, they mis-applied the patch.
Ax the system saiys, the problem comes from the SLASH variable that is 
not set :

admin(20327):     parts = [x for x in path.split(SLASH) if x not in
('.', '..')]admin(20327): NameError: global name 'SLASH' is not defined

To correct it, do as follows :

- edit the file /usr/lib/mailman/Mailman/Cgi/private.py and replace 
(SLASH) by ('/')
You should now see :
# Set up i18n.  Until we know which list is being requested, we use the
# server's default.
_ = i18n._

def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = [x for x in path.split('/') if x not in ('.', '..')]
    return '/'.join(parts)[1:]

- run dpkg-reconfigure mailman : this will force python to 'recompile' 
the file (there is probably a more elegant way to do it, but this one 

That should do the trick.

Note that re-applying the patch should not work because the private.py 
had already been modified. It's only a guess.

Brad Knowles wrote:

> At 12:26 AM +0100 2005-02-15, denis wrote:
>>  I have made the security upgrade on debian to mailman version 2.1.5-6.
>>  And now, i have a bug in all the archives.
>>  Is it possible to fix that ?
>     Looks like someone mis-applied the patch at 
> <http://www.list.org/CAN-2005-0202.txt>.  Try re-applying it correctly.

olivier at naya-tec.com (Olivier Nibart)
gsm: +32 472 514 103

More information about the Mailman-Users mailing list