#! /bin/sh /usr/share/dpatch/dpatch-run
## 40_can-2005-0202.dpatch by  <fw@deneb.enyo.de>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix directory traversal security bug CAN-2005-0202.

@DPATCH@
diff -urNad mailman-2.1.5/Mailman/Cgi/private.py /tmp/dpep.1s33Fe/mailman-2.1.5/Mailman/Cgi/private.py
--- mailman-2.1.5/Mailman/Cgi/private.py	2003-02-08 08:13:50.000000000 +0100
+++ /tmp/dpep.1s33Fe/mailman-2.1.5/Mailman/Cgi/private.py	2005-02-09 21:00:36.000000000 +0100
@@ -37,11 +37,12 @@
 
 
 
+SLASH = '/'
+
 def true_path(path):
     "Ensure that the path is safe by removing .."
-    path = path.replace('../', '')
-    path = path.replace('./', '')
-    return path[1:]
+    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
+    return SLASH.join(parts)[1:]