Fixes for a minor local security hole. Some of the CGI scripts could

bomb with tracebacks if PATH_INFO environment variable wasn't defined.
Fixed this by making them all use Utils.GetPathPieces() and "doing
something sensible" when that returned a false value.

Also, edithtml is now hidden behind a login screen, so there's no need
to enter the list password to edit the html.  You can't even get to
the list of files to edit unless you've admin authenticated.  Closes
SF bug #114091, Jitterbug PR# 24.

1 files changed, 4 insertions, 12 deletions

diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py
index 000f46d59..240cc35d0 100644
--- a/Mailman/Cgi/private.py
+++ b/Mailman/Cgi/private.py
@@ -92,27 +92,19 @@ def content_type(path):
 
 def main():
     doc = Document()
-
-    try:
-        path = os.environ['PATH_INFO']
-    except KeyError:
+    parts = Utils.GetPathPieces()
+    if not parts:
         doc.SetTitle("Private Archive Error")
         doc.AddItem(Header(3, "You must specify a list."))
         print doc.Format(bgcolor="#FFFFFF")
         sys.exit(0)
 
+    path = os.environ.get('PATH_INFO')
     true_filename = os.path.join(
         mm_cfg.PRIVATE_ARCHIVE_FILE_DIR,
         true_path(path))
 
-    list_info = Utils.GetPathPieces(path)
-
-    if len(list_info) < 1:
-        doc.SetTitle("Private Archive Error")
-        doc.AddItem(Header(3, "You must specify a list."))
-        print doc.Format(bgcolor="#FFFFFF")
-        sys.exit(0)
-    listname = string.lower(list_info[0])
+    listname = string.lower(parts[0])
 
     # If it's a directory, we have to append index.html in this script.  We
     # must also check for a gzipped file, because the text archives are