Fedora Legacy Test Update Notification: mailman

Jeff Sheltren sheltren at cs.ucsb.edu
Wed Feb 16 05:07:19 UTC 2005 

On 2/15/05 5:43 PM, "Jim Popovitch" <jimpop at yahoo.com> wrote:
> 
> OK... 
> 
> Here is what Mailman 2.0 looked like (prior to CAN-2005-0202)
> 
>    ^L
>    def true_path(path):
>        "Ensure that the path is safe by removing .."
>        path = string.replace(path, "../", "")
>        path = string.replace(path, "./", "")    <-- Double Quotes
>        return path[1:]
> 
> 
> Here is what Mailman 2.1.5 looked like (prior to CAN-2005-0202).
> 
>    ^L
>    def true_path(path):
>        "Ensure that the path is safe by removing .."
>        path = path.replace('../', '')
>        path = path.replace('./', '')        <-- Single Quotes
>        return path[1:]
> 
> 
> Here is what Mailman developers themselves recommend as a fix
> to the 2.1 series for CAN-2005-0202, in addition to saying that
> 2.0.x is unaffected.
> 
>    SLASH = '/'
> 
>    ^L
>    def true_path(path):
>        "Ensure that the path is safe by removing .."
>         parts = path.split(SLASH)
>         safe = [x for x in parts if x not in ('.', '..')]
>         if parts <> safe:
>            syslog('mischief', 'Directory traversal attack thwarted')
>         return SLASH.join(safe)[1:]
> 
> 
> Here is what is now in FedoraLegacy RH73 release 2.0.13-7
> 
>    ^L
>    def true_path(path):
>        "Ensure that the path is safe by removing .."
>        path = re.sub('\.+/+', '', path)
>        return path[1:]
> 
> 
> So, why so much difference between what we are releasing and what is
> being recommended? (not that Mailman's recommendations are anything like
> the past versions)  Also, what is "re.sub" ?
> 
> Glad there is a fix, just curious to know the reasoning and path to
> resolution.
> 
> Thanks,
> 
> -Jim P.

Hi Jim, the patch in the 7.3 version in updates testing is nearly identical
to the patch used for the RH9/FC1 versions which , IMO, is a good thing.
True, what was recommended by the mailman devs should work fine, but it
would change the functionality (ie. The extra logging to syslog), which I
know is something FL is trying to avoid.  Also, since we already have a
working patch ala RHEL, why not use it (slightly changed) for all the
packages released by FL?

BTW, you can find out more about the python re (Regular Expression) module
on their website:
http://www.python.org/doc/2.2.3/lib/node99.html

Also, I'm not a python expert by any means (although I'm learning), but I
believe there is no functional difference between the single and double
quotes from the code you pasted above.

-Jeff

More information about the fedora-legacy-list mailing list