[Full-Disclosure] Administrivia: List Compromised due to Mailman Vulnerability

[Steve Blass]

John Cartwright wrote:

>...
>
>Subscriber addresses and passwords have been compromised.
>
d'0h!

>...
>
>SLASH = '/'
>
>def true_path(path):
>    "Ensure that the path is safe by removing .."
>    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
>    return SLASH.join(parts)[1:]
>
>  
>
That's an improvement, but better is to extract and validate the tail of 
the path to your repository and then anchor the root where it belongs.

Fully disclosing that FD was compromised was a stand up thing to do 
though. Good job!

-
Steve