On Thu, 10 Feb 2005, John Swartzentruber wrote:
On 2/10/2005 9:41 AM Barry Warsaw wrote:
Until Mailman 2.1.6 is released, the longer term fix is to apply this
patch:
http://www.list.org/CAN-2005-0202.txt
Could an expert please help out a non-expert? I applied this patch to
/usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly patched.
I'm not sure that this is enough, however, because the private.pyc file
wasn't changed, even after I restarted mailman. Should I have patched the
private.py file in the source, then gone through the "make" and "make
install" process?
Edit $MAILMAN/Mailman/Cgi/private.py (probably wise to save the orig)
Where you see lines in the diff beginning with "-", remove those lines,
Where you see lines in the diff beginning with "+", add those lines,
Once the edit is complete, stop and restart the qrunner (perhaps its
/etc/init.d/mailman or $MAILMAN/bin/mailmanctl depending on how you're
set up.
The pyc will only get remade when needed and since this only affects lists
with archives, try going to some list of yours with an archive.
The original patch I saw on the net seems to work fine but doesn't log the
hack attempts to the $MAILMAN/logs/mischief file. Here it is:
----------------------------------------------------
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
SLASH = '/'
def true_path(path):
"Ensure that the path is safe by removing .."
parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
return SLASH.join(parts)[1:]
-----------------------------------------------------
The one from the diffs looks like this:
----------------------------------------------------
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
^L
SLASH = '/'
def true_path(path):
"Ensure that the path is safe by removing .."
parts = path.split(SLASH)
safe = [x for x in parts if x not in ('.', '..')]
if parts <> safe:
syslog('mischief', 'Directory traversal attack thwarted')
return SLASH.join(safe)[1:]
------------------------------------------------------
If I got any of the above wrong, I apology; please lemme know.
We're all in this together
=-=-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=
David Stern University of Maryland
Institute for Advanced Computer Studies
------------------------------------------------------
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org