--- search.py	2009-01-26 19:26:56.000000000 +0000
+++ newsearch.py	2010-07-14 09:11:20.000000000 +0000
@@ -14,6 +14,24 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
 # USA.
+#
+# --------------------------------------------------------------------
+# This is a modification of the standard "private" CGI script that
+# keeps archives limited to subscribers; see private.py in Mailman
+# distribution for original source.  We use its "protect to
+# subscribers only" mechanism to make it so that only subscribers can
+# *search* archives - and see results.  Then the results (actual posts
+# in the archives) will be protected by the standard "private" CGI
+# script.  Without this, confidential material might be exposed in the
+# search results, even if the full posts were protected by Mailman's
+# private CGI script.
+#
+# Note that there is no #!/usr/bin/python because the compiled CGI
+# wrapper program hardcodes the python path for security and passes
+# the python interpreter the location of this script explicitly;
+# this is, in fact, how the other mailman CGI programs work.
+#
+# Anthony R. Thompson, June 2010
 
 """Provide a password-interface wrapper around private archives."""
 
@@ -161,27 +179,7 @@
     i18n.set_language(lang)
     doc.set_language(lang)
 
-    # Authorization confirmed... output the desired file
-    try:
-        ctype, enc = guess_type(path, strict=0)
-        if ctype is None:
-            ctype = 'text/html'
-        if mboxfile:
-            f = open(os.path.join(mlist.archive_dir() + '.mbox',
-                                  mlist.internal_name() + '.mbox'))
-            ctype = 'text/plain'
-        elif true_filename.endswith('.gz'):
-            import gzip
-            f = gzip.open(true_filename, 'r')
-        else:
-            f = open(true_filename, 'r')
-    except IOError:
-        msg = _('Private archive file not found')
-        doc.SetTitle(msg)
-        doc.AddItem(Header(2, msg))
-        print doc.Format()
-        syslog('error', 'Private archive file not found: %s', true_filename)
-    else:
-        print 'Content-type: %s\n' % ctype
-        sys.stdout.write(f.read())
-        f.close()
+    # Call Swish search CGI; it will replace this script and inherit its
+    # environment, including any custom variables we set, like LISTNAME
+    os.environ['LISTNAME'] = Utils.websafe(listname)
+    os.execv('/var/lib/mailman/archives/private/swish.cgi', [])  # INSTALL