Hi,
As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable, too. (As the subject of the announcement also suggested.)
Which unfortunately only works with Python 2.
Python 1 (respective at least 1.5.2) complains about syntax errors. (Which, in fact, also helps against the vulnerability by displaying the "You've found a Mailman bug" page. ;-)
Change the true_path function as:
def true_path(path):
"Ensure that the path is safe by removing .."
import re
path = re.sub('\.+/+', '', path)
return path[1:]and try. Sorry but I have no 2.0.x around but only found a machine which have working Python 1.x installed.
-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/
------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
