From 77a5ec74c4c8984ca93bb18e51c5b78b4c4ede15 Mon Sep 17 00:00:00 2001
From: jakob <jakob@openbsd.org>
Date: Thu, 10 Feb 2005 14:58:06 +0000
Subject: [PATCH] critical security update (CAN-2005-0202)

---
 mail/mailman/Makefile                         |  4 +--
 .../patches/patch-Mailman_Cgi_private_py      | 30 +++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 mail/mailman/patches/patch-Mailman_Cgi_private_py

diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 8e5c6474984..02c0bb9770c 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.30 2005/02/04 09:19:35 jakob Exp $
+# $OpenBSD: Makefile,v 1.31 2005/02/10 14:58:06 jakob Exp $
 
 COMMENT=	"mailing list manager with web interface"
 
 DISTNAME=	mailman-2.1.5
-PKGNAME=	${DISTNAME}p2
+PKGNAME=	${DISTNAME}p3
 CATEGORIES=	mail www
 
 HOMEPAGE=	http://www.gnu.org/software/mailman/
diff --git a/mail/mailman/patches/patch-Mailman_Cgi_private_py b/mail/mailman/patches/patch-Mailman_Cgi_private_py
new file mode 100644
index 00000000000..976065bcf15
--- /dev/null
+++ b/mail/mailman/patches/patch-Mailman_Cgi_private_py
@@ -0,0 +1,30 @@
+$OpenBSD: patch-Mailman_Cgi_private_py,v 1.1 2005/02/10 14:58:06 jakob Exp $
+--- Mailman/Cgi/private.py.orig	Sat Feb  8 08:13:50 2003
++++ Mailman/Cgi/private.py	Thu Feb 10 15:50:22 2005
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
++# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -35,13 +35,17 @@ from Mailman.Logging.Syslog import syslo
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ 
++SLASH = '/'
+ 
++
+ 
+ def true_path(path):
+     "Ensure that the path is safe by removing .."
+-    path = path.replace('../', '')
+-    path = path.replace('./', '')
+-    return path[1:]
++    parts = path.split(SLASH)
++    safe = [x for x in parts if x not in ('.', '..')]
++    if parts <> safe:
++        syslog('mischief', 'Directory traversal attack thwarted')
++    return SLASH.join(safe)[1:]
+ 
+ 
+