Fixes for a minor local security hole. Some of the CGI scripts could

bomb with tracebacks if PATH_INFO environment variable wasn't defined. Fixed this by making them all use Utils.GetPathPieces() and "doing something sensible" when that returned a false value. Also, edithtml is now hidden behind a login screen, so there's no need to enter the list password to edit the html. You can't even get to the list of files to edit unless you've admin authenticated. Closes SF bug #114091, Jitterbug PR# 24.
author: bwarsaw 2000-09-29 00:05:05 +0000
committer: bwarsaw 2000-09-29 00:05:05 +0000
commit: ceddf83bf0000704b4c2c3428db124e88d4a1ee4 (patch)
tree: afb489a2eb004c39366553fb4cb12d9da5c8b7e7 /Mailman/Cgi/listinfo.py
parent: 8fab2b4ea200b7fbdac7e5f99881f07047ef467c (diff)
download: mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.tar.gz
mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.tar.zst
mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.zip
1 files changed, 2 insertions, 8 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index 92fa038a8..8c9e78229 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -32,14 +32,8 @@ from Mailman.Logging.Syslog import syslog
 
 
 def main():
-    try:
-        path = os.environ['PATH_INFO']
-    except KeyError:
-        FormatListinfoOverview()
-        return
-
-    parts = Utils.GetPathPieces(path)
-    if len(parts) == 0:
+    parts = Utils.GetPathPieces()
+    if not parts:
         FormatListinfoOverview()
         return
author	bwarsaw	2000-09-29 00:05:05 +0000
committer	bwarsaw	2000-09-29 00:05:05 +0000
commit	ceddf83bf0000704b4c2c3428db124e88d4a1ee4 (patch)
tree	afb489a2eb004c39366553fb4cb12d9da5c8b7e7 /Mailman/Cgi/listinfo.py
parent	8fab2b4ea200b7fbdac7e5f99881f07047ef467c (diff)
download	mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.tar.gz mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.tar.zst mailman-ceddf83bf0000704b4c2c3428db124e88d4a1ee4.zip