[Mailman-Users] update to htdig integration patch #444884
Richard Barrett
R.Barrett at ftel.co.uk
Thu Mar 20 15:21:10 CET 2003
I have posted a revised version of the Mailman-htdig integration patch
#444884 as file htdig-2.1.1-0.2.patch.gz at:
http://sourceforge.net/tracker/?func=detail&aid=444884&group_id=103&atid=300103
The changes close a security exploit pointed out to me by Rupa Schomaker
<rupa-list at rupa.com>.
The substance of the exploit is that an unauthorized user could construct
an HTTP request which would get htdig's htsearch program to return search
results for a private list archive. The search results page could thus
reveal information to an unauthorized user, even though the htdig.py CGI
script would refuse to serve the archive page pointed to by the links on
the htsearch results page.
With the amended patch, htsearch is now invoked by a new security wrapper
which prevents this exploit. Without the wrapper htsearch is unable to
access the per-list htdig config files. The security wrapper ensures the
user requesting the search is authorized to see the list's archive before
allowing the search.
Any problems with this new patch version, let me know.
But do read the instructions in the file INSTALL.htdig-mm installed by the
patch. There are specific notes about updating an existing MM installation
which has had an earlier version of patch #444884 applied to it.
More information about the Mailman-Users
mailing list