critical security update (CAN-2005-0202)

2005-02-10 14:58:06 +00:00 · 2005-02-10 14:58:06 +00:00 · 77a5ec74c4
commit 77a5ec74c4
parent 54fdcbe432
2 changed files with 32 additions and 2 deletions
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.30 2005/02/04 09:19:35 jakob Exp $
+# $OpenBSD: Makefile,v 1.31 2005/02/10 14:58:06 jakob Exp $

 COMMENT=	"mailing list manager with web interface"

 DISTNAME=	mailman-2.1.5
-PKGNAME=	${DISTNAME}p2
+PKGNAME=	${DISTNAME}p3
 CATEGORIES=	mail www

 HOMEPAGE=	http://www.gnu.org/software/mailman/
--- a/mail/mailman/patches/patch-Mailman_Cgi_private_py
+++ b/mail/mailman/patches/patch-Mailman_Cgi_private_py
@ -0,0 +1,30 @@
+$OpenBSD: patch-Mailman_Cgi_private_py,v 1.1 2005/02/10 14:58:06 jakob Exp $
+--- Mailman/Cgi/private.py.orig	Sat Feb  8 08:13:50 2003
+++ Mailman/Cgi/private.py	Thu Feb 10 15:50:22 2005
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -35,13 +35,17 @@ from Mailman.Logging.Syslog import syslo
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ 
+SLASH = '/'
+ 
+
+ 
+ def true_path(path):
+     "Ensure that the path is safe by removing .."
+-    path = path.replace('../', '')
+-    path = path.replace('./', '')
+-    return path[1:]
+    parts = path.split(SLASH)
+    safe = [x for x in parts if x not in ('.', '..')]
+    if parts <> safe:
+        syslog('mischief', 'Directory traversal attack thwarted')
+    return SLASH.join(safe)[1:]
+ 
+ 
+