David Morse <[EMAIL PROTECTED]> wrote:
>
>If I look at the logs, this seems to be the problem
>
>admin(1853): File "/usr/lib/mailman/Mailman/Cgi/private.py", line 42,
>in true_path
>admin(1853): parts = [x for x in path.split(SLASH) if x not in ('.',
>'..')]
>admin(1853): NameError: global name 'SLASH' is not defined
>
>here's the source:
>
>def true_path(path):
> "Ensure that the path is safe by removing .."
> parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
> return '/'.join(parts)[1:]
>
>What do the learned developers think of replacing SLASH with '/' or
>something? I'm just guessing here...
It appears that someone attempted to apply the patch at
http://www.list.org/CAN-2005-0202.txt or some other version thereof
and has left out the definition of SLASH. See the above URL for the
full patch.
--
Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list
[email protected]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
As a general rule, if you have questions regarding sensitive security issues,
you can post them to [EMAIL PROTECTED], which is a closed distribution list.
Please do not otherwise discuss sensitive security issues on any public mailing
list, until such time as an official announcement has been made, including
availability of a patch, etc....
Even if the issue has been publicly discussed in other forums, you should wait
for the official announcements before discussing them publicly, whether on
mailman-users, mailman-developers, or elsewhere.
