$OpenBSD: patch-Mailman_Cgi_private_py,v 1.1 2005/02/10 14:58:06 jakob Exp $
--- Mailman/Cgi/private.py.orig	Sat Feb  8 08:13:50 2003
+++ Mailman/Cgi/private.py	Thu Feb 10 15:50:22 2005
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -35,13 +35,17 @@ from Mailman.Logging.Syslog import syslo
 _ = i18n._
 i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
 
+SLASH = '/'
 
+
 
 def true_path(path):
     "Ensure that the path is safe by removing .."
-    path = path.replace('../', '')
-    path = path.replace('./', '')
-    return path[1:]
+    parts = path.split(SLASH)
+    safe = [x for x in parts if x not in ('.', '..')]
+    if parts <> safe:
+        syslog('mischief', 'Directory traversal attack thwarted')
+    return SLASH.join(safe)[1:]
 
 
 
