Mercurialmoin/1.5 / changeset
summary | shortlog | changelog | graph | tags | branches | files | changeset | raw | bz2
Security fix: only accept valid user IDs from the cookie
authorThomas Waldmann <tw AT waldmann-edv DOT de>
Sun Jan 20 23:27:48 2008 +0100 (2008-01-20)
changeset 855e69a16b6e630
parent 854 2f952fa361c7
child 856 db212dfc58ef
Security fix: only accept valid user IDs from the cookie
MoinMoin/user.py file | annotate | diff | revisions
docs/CHANGES file | annotate | diff | revisions 
     1.1 --- a/MoinMoin/user.py	Sun Jan 20 17:36:42 2008 +0100
     1.2 +++ b/MoinMoin/user.py	Sun Jan 20 23:27:48 2008 +0100
     1.3 @@ -6,7 +6,7 @@
     1.4      @license: GNU GPL, see COPYING for details.
     1.5  """
     1.6  
     1.7 -import os, time, sha, codecs
     1.8 +import os, time, sha, codecs, re
     1.9  
    1.10  try:
    1.11      import cPickle as pickle
    1.12 @@ -19,6 +19,7 @@
    1.13  from MoinMoin import config, caching, wikiutil
    1.14  from MoinMoin.util import filesys, timefuncs
    1.15  
    1.16 +USERID_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
    1.17  
    1.18  def getUserList(request):
    1.19      """ Get a list of all (numerical) user IDs.
    1.20 @@ -27,10 +28,9 @@
    1.21      @rtype: list
    1.22      @return: all user IDs
    1.23      """
    1.24 -    import re, dircache
    1.25 -    user_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
    1.26 +    import dircache
    1.27      files = dircache.listdir(request.cfg.user_dir)
    1.28 -    userlist = [f for f in files if user_re.match(f)]
    1.29 +    userlist = [f for f in files if USERID_re.match(f)]
    1.30      return userlist
    1.31  
    1.32  
    1.33 @@ -210,7 +210,7 @@
    1.34          self._cfg = request.cfg
    1.35          self.valid = 0
    1.36          self.trusted = 0
    1.37 -        self.id = id
    1.38 +        self.id = self.id_sanitycheck(id)
    1.39          self.auth_username = auth_username
    1.40          self.auth_method = kw.get('auth_method', 'internal')
    1.41          self.auth_attribs = kw.get('auth_attribs', ())
    1.42 @@ -299,6 +299,15 @@
    1.43          from random import randint
    1.44          return "%s.%d" % (str(time.time()), randint(0,65535))
    1.45  
    1.46 +    def id_sanitycheck(self, id):
    1.47 +        """ only return valid user IDs, avoid someone faking his cookie to
    1.48 +            contain '../../../somefile', breaking out of the data/user/ directory!
    1.49 +        """
    1.50 +        if id and USERID_re.match(id):
    1.51 +            return id
    1.52 +        else:
    1.53 +            return None
    1.54 +
    1.55      def create_or_update(self, changed=False):
    1.56          """ Create or update a user profile
    1.57  

     2.1 --- a/docs/CHANGES	Sun Jan 20 17:36:42 2008 +0100
     2.2 +++ b/docs/CHANGES	Sun Jan 20 23:27:48 2008 +0100
     2.3 @@ -44,6 +44,7 @@
     2.4      * Fixed Despam action (same editor grouping was broken), now looking for
     2.5        spam edits in the last 30 days.
     2.6      * Fixed XSS issue in login action.
     2.7 +    * Security fix: only accept valid user IDs from the cookie.
     2.8  
     2.9  Version 1.5.8:
    2.10    New features:
moin/1.5