[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <420A684F.6030003@asu.edu>
From: sblass at asu.edu (Steve Blass)
Subject: Administrivia: List Compromised due to Mailman
Vulnerability
John Cartwright wrote:
>...
>
>Subscriber addresses and passwords have been compromised.
>
d'0h!
>...
>
>SLASH = '/'
>
>def true_path(path):
> "Ensure that the path is safe by removing .."
> parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
> return SLASH.join(parts)[1:]
>
>
>
That's an improvement, but better is to extract and validate the tail of
the path to your repository and then anchor the root where it belongs.
Fully disclosing that FD was compromised was a stand up thing to do
though. Good job!
-
Steve
Powered by blists - more mailing lists