Fedora Legacy Test Update Notification: mailman
Jim Popovitch
jimpop at yahoo.com
Wed Feb 16 01:43:36 UTC 2005
On Wed, 2005-02-16 at 01:15 +0000, Dominic Hargreaves wrote:
> On Tue, Feb 15, 2005 at 08:11:54PM -0500, Jim Popovitch wrote:
>
> > Why was this applied to Mailman v2.0.13? According to
> > http://www.list.org/security.html it only affects v2.1 to v2.1.16
>
> AFAICT the information on that page is incomplete.
>
> http://rhn.redhat.com/errata/RHSA-2005-136.html
> http://www.debian.org/security/2005/dsa-674
>
> both have updates for the 2.0 series.
OK...
Here is what Mailman 2.0 looked like (prior to CAN-2005-0202)
^L
def true_path(path):
"Ensure that the path is safe by removing .."
path = string.replace(path, "../", "")
path = string.replace(path, "./", "") <-- Double Quotes
return path[1:]
Here is what Mailman 2.1.5 looked like (prior to CAN-2005-0202).
^L
def true_path(path):
"Ensure that the path is safe by removing .."
path = path.replace('../', '')
path = path.replace('./', '') <-- Single Quotes
return path[1:]
Here is what Mailman developers themselves recommend as a fix
to the 2.1 series for CAN-2005-0202, in addition to saying that
2.0.x is unaffected.
SLASH = '/'
^L
def true_path(path):
"Ensure that the path is safe by removing .."
parts = path.split(SLASH)
safe = [x for x in parts if x not in ('.', '..')]
if parts <> safe:
syslog('mischief', 'Directory traversal attack thwarted')
return SLASH.join(safe)[1:]
Here is what is now in FedoraLegacy RH73 release 2.0.13-7
^L
def true_path(path):
"Ensure that the path is safe by removing .."
path = re.sub('\.+/+', '', path)
return path[1:]
So, why so much difference between what we are releasing and what is
being recommended? (not that Mailman's recommendations are anything like
the past versions) Also, what is "re.sub" ?
Glad there is a fix, just curious to know the reasoning and path to
resolution.
Thanks,
-Jim P.
More information about the fedora-legacy-list
mailing list