XSS fix for login action, thanks to Fernando Quintero for reporting this (port from 1.5)
1.1 --- a/MoinMoin/action/login.py Sun Jan 20 00:02:36 2008 +0100
1.2 +++ b/MoinMoin/action/login.py Sun Jan 20 17:57:01 2008 +0100
1.3 @@ -10,7 +10,7 @@
1.4 @license: GNU GPL, see COPYING for details.
1.5 """
1.6
1.7 -from MoinMoin import user, userform
1.8 +from MoinMoin import user, userform, wikiutil
1.9 from MoinMoin.Page import Page
1.10
1.11 def execute(pagename, request):
1.12 @@ -40,14 +40,14 @@
1.13 if not user.isValidName(request, name):
1.14 error = _("""Invalid user name {{{'%s'}}}.
1.15 Name may contain any Unicode alpha numeric character, with optional one
1.16 -space between words. Group page name is not allowed.""", formatted=True, percent=True) % name
1.17 +space between words. Group page name is not allowed.""", formatted=True, percent=True) % wikiutil.escape(name)
1.18
1.19 # we do NOT check this, we don't want to disclose whether a user
1.20 # exists or not to not help an attacker.
1.21 # Check that user exists
1.22 #elif not user.getUserId(request, name):
1.23 # error = _('Unknown user name: {{{"%s"}}}. Please enter'
1.24 - # ' user name and password.', formatted=True, percent=True) % name
1.25 + # ' user name and password.', formatted=True, percent=True) % wikiutil.escape(name)
1.26
1.27 # Require password
1.28 else:
2.1 --- a/docs/CHANGES Sun Jan 20 00:02:36 2008 +0100
2.2 +++ b/docs/CHANGES Sun Jan 20 17:57:01 2008 +0100
2.3 @@ -46,7 +46,8 @@
2.4 * Wiki parser: fix parsing of link/transclusion description and params
2.5 * Bug fix for 1.6.0SupplementationAndAccessRights
2.6 * Fix supported URL schemes (some got lost since 1.5.8).
2.7 -
2.8 + * Fixed XSS issue in login action.
2.9 +
2.10 Version 1.6.0:
2.11 * This is a reduced CHANGES, ommitting details from rc/beta test and also
2.12 less interesting minor changes and fixes. If you want to see full detail,