diff options
| author | tkikuchi | 2005-08-28 05:31:27 +0000 |
|---|---|---|
| committer | tkikuchi | 2005-08-28 05:31:27 +0000 |
| commit | 067dc15b2432bb285ab5e4a3eac6f4dddd67ed19 (patch) | |
| tree | ceac72251ee33742bfff7626c99dde163d3da946 /Mailman/Cgi/private.py | |
| parent | bc1dad4f90a26ade7c4dd6d2863de88856e8b4b6 (diff) | |
| download | mailman-067dc15b2432bb285ab5e4a3eac6f4dddd67ed19.tar.gz mailman-067dc15b2432bb285ab5e4a3eac6f4dddd67ed19.tar.zst mailman-067dc15b2432bb285ab5e4a3eac6f4dddd67ed19.zip | |
Diffstat (limited to 'Mailman/Cgi/private.py')
| -rw-r--r-- | Mailman/Cgi/private.py | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/Mailman/Cgi/private.py b/Mailman/Cgi/private.py index 790d351c6..cbab3b066 100644 --- a/Mailman/Cgi/private.py +++ b/Mailman/Cgi/private.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2003 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -35,13 +35,16 @@ from Mailman.Logging.Syslog import syslog _ = i18n._ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE) +SLASH = '/' + def true_path(path): "Ensure that the path is safe by removing .." - path = path.replace('../', '') - path = path.replace('./', '') - return path[1:] + # Workaround for path traverse vulnerability. Unsuccessful attempts will + # be logged in logs/error. + parts = [x for x in path.split(SLASH) if x not in ('.', '..')] + return SLASH.join(parts)[1:] |