Comment 32 for bug 266554

It seems it is possible, if this patch is installed, for a list's
htdig conf file and the list specific htdig index db files to be
read directly through the web interface for list archives.

Even if this patch isn't installed it seems a list's pipermail.pck
file can also be read directly through the web interface for list
archives.

This seems to be true for accesses via /pipermail for public
lists and via /mailman/private for private lists.

The problem does not occur for htdig search results
accessed via /mailman/htdig as the htdig.py script is more
protective than private.py

Broadly speaking the data affected is availble to a user in
normal operation which is why I do not consider the issue to
be a security breach as such.

Adding the following RewriteRule to Apache's httpd.conf
prevents the situation, assuming you got the RewriteEngine
On:

RewriteRule ^(/pipermail/.*)/(pipermail.pck|htdig/[^/]*)$
$1/index.html [F]

RewriteRule ^(/mailman/private/.*)/(pipermail.pck|htdig/[^/]*)$
$1/index.htm
l [F]

You could, of course, substitute an R flag for the F flag on the
RewriteRules and be more hacker friendly.