← Back to branch summary

~mailman-coders/mailman/2.1

« back to all changes in this revision

Viewing changes to Mailman/Utils.py

  • Committer: Mark Sapiro
  • Date: 2015-03-27 21:12:16 UTC
  • Revision ID: mark@msapiro.net-20150327211216-prikig6l1ic50v9q
https://launchpad.net/bugs/1437145
Fix for path traversal vulnerability.

Show diffs side-by-side

added added

removed removed

Lines of Context:
Mailman/Utils.py
100
100
    #
101
101
    # The former two are for 2.1alpha3 and beyond, while the latter two are
102
102
    # for all earlier versions.
 
103
    #
 
104
    # But first ensure the list name doesn't contain a path traversal
 
105
    # attack.
 
106
    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
 
107
        syslog('mischief', 'Hostile listname: %s', listname)
 
108
        return False
103
109
    basepath = Site.get_listpath(listname)
104
110
    for ext in ('.pck', '.pck.last', '.db', '.db.last'):
105
111
        dbfile = os.path.join(basepath, 'config' + ext)