Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
authorEugene Syromyatnikov <evgsyr@gmail.com>
Fri, 04 Jun 2010 00:13:24 +0400
changeset 389537306fba2189
parent 3894 0d76fbaa3cd9
child 3896 f8871116c6b3
Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
MoinMoin/Page.py
MoinMoin/PageEditor.py
MoinMoin/PageGraphicalEditor.py
MoinMoin/action/CopyPage.py
MoinMoin/action/LikePages.py
MoinMoin/action/Load.py
MoinMoin/action/RenamePage.py
MoinMoin/action/backup.py
MoinMoin/action/chart.py
MoinMoin/action/login.py
MoinMoin/action/newaccount.py
MoinMoin/action/recoverpass.py
MoinMoin/action/userprofile.py
     1.1 --- a/MoinMoin/Page.py	Fri Jun 04 00:08:29 2010 +0400
     1.2 +++ b/MoinMoin/Page.py	Fri Jun 04 00:13:24 2010 +0400
     1.3 @@ -1053,8 +1053,8 @@
     1.4                  if 'highlight' in request.form:
     1.5                      del request.form['highlight']
     1.6                  request.theme.add_msg(_('Invalid highlighting regular expression "%(regex)s": %(error)s') % {
     1.7 -                                          'regex': self.hilite_re,
     1.8 -                                          'error': str(err),
     1.9 +                                          'regex': wikiutil.escape(self.hilite_re),
    1.10 +                                          'error': wikiutil.escape(str(err)),
    1.11                                        }, "warning")
    1.12                  self.hilite_re = None
    1.13  
    1.14 @@ -1111,7 +1111,7 @@
    1.15                      request.theme.add_msg("<strong>%s</strong><br>" % (
    1.16                          _('Revision %(rev)d as of %(date)s') % {
    1.17                              'rev': self.rev,
    1.18 -                            'date': self.mtime_printable(request)
    1.19 +                            'date': wikiutil.escape(self.mtime_printable(request))
    1.20                          }), "info")
    1.21  
    1.22                  # This redirect message is very annoying.
     2.1 --- a/MoinMoin/PageEditor.py	Fri Jun 04 00:08:29 2010 +0400
     2.2 +++ b/MoinMoin/PageEditor.py	Fri Jun 04 00:13:24 2010 +0400
     2.3 @@ -278,14 +278,15 @@
     2.4          elif 'template' in form:
     2.5              # If the page does not exist, we try to get the content from the template parameter.
     2.6              template_page = wikiutil.unquoteWikiname(form['template'][0])
     2.7 +            template_page_escaped = wikiutil.escape(template_page)
     2.8              if request.user.may.read(template_page):
     2.9                  raw_body = Page(request, template_page).get_raw_body()
    2.10                  if raw_body:
    2.11 -                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info')
    2.12 +                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info')
    2.13                  else:
    2.14 -                    request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning')
    2.15 +                    request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning')
    2.16              else:
    2.17 -                request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error')
    2.18 +                request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error')
    2.19  
    2.20          # Make backup on previews - but not for new empty pages
    2.21          if not use_draft and preview and raw_body:
     3.1 --- a/MoinMoin/PageGraphicalEditor.py	Fri Jun 04 00:08:29 2010 +0400
     3.2 +++ b/MoinMoin/PageGraphicalEditor.py	Fri Jun 04 00:13:24 2010 +0400
     3.3 @@ -171,14 +171,15 @@
     3.4          elif 'template' in form:
     3.5              # If the page does not exist, we try to get the content from the template parameter.
     3.6              template_page = wikiutil.unquoteWikiname(form['template'][0])
     3.7 +            template_page_escaped = wikiutil.escape(template_page)
     3.8              if request.user.may.read(template_page):
     3.9                  raw_body = Page(request, template_page).get_raw_body()
    3.10                  if raw_body:
    3.11 -                    request.write(_("[Content of new page loaded from %s]") % (template_page, ), '<br>')
    3.12 +                    request.write(_("[Content of new page loaded from %s]") % (template_page_escaped, ), '<br>')
    3.13                  else:
    3.14 -                    request.write(_("[Template %s not found]") % (template_page, ), '<br>')
    3.15 +                    request.write(_("[Template %s not found]") % (template_page_escaped, ), '<br>')
    3.16              else:
    3.17 -                request.write(_("[You may not read %s]") % (template_page, ), '<br>')
    3.18 +                request.write(_("[You may not read %s]") % (template_page_escaped, ), '<br>')
    3.19  
    3.20          # Make backup on previews - but not for new empty pages
    3.21          if not use_draft and preview and raw_body:
     4.1 --- a/MoinMoin/action/CopyPage.py	Fri Jun 04 00:08:29 2010 +0400
     4.2 +++ b/MoinMoin/action/CopyPage.py	Fri Jun 04 00:13:24 2010 +0400
     4.3 @@ -87,7 +87,7 @@
     4.4      def get_form_html(self, buttons_html):
     4.5          _ = self._
     4.6          if self.users_subpages:
     4.7 -            subpages = ' '.join(self.users_subpages)
     4.8 +            subpages = ' '.join([wikiutil.escape(page) for page in self.users_subpages])
     4.9  
    4.10              d = {
    4.11                  'textcha': TextCha(self.request).render(),
     5.1 --- a/MoinMoin/action/LikePages.py	Fri Jun 04 00:08:29 2010 +0400
     5.2 +++ b/MoinMoin/action/LikePages.py	Fri Jun 04 00:13:24 2010 +0400
     5.3 @@ -24,19 +24,19 @@
     5.4  
     5.5      # Error?
     5.6      if isinstance(matches, (str, unicode)):
     5.7 -        request.theme.add_msg(matches, "info")
     5.8 +        request.theme.add_msg(wikiutil.escape(matches), "info")
     5.9          Page(request, pagename).send_page()
    5.10          return
    5.11  
    5.12      # No matches
    5.13      if not matches:
    5.14 -        request.theme.add_msg(_('No pages like "%s"!') % (pagename, ), "error")
    5.15 +        request.theme.add_msg(_('No pages like "%s"!') % (wikiutil.escape(pagename), ), "error")
    5.16          Page(request, pagename).send_page()
    5.17          return
    5.18  
    5.19      # One match - display it
    5.20      if len(matches) == 1:
    5.21 -        request.theme.add_msg(_('Exactly one page like "%s" found, redirecting to page.') % (pagename, ), "info")
    5.22 +        request.theme.add_msg(_('Exactly one page like "%s" found, redirecting to page.') % (wikiutil.escape(pagename), ), "info")
    5.23          Page(request, matches.keys()[0]).send_page()
    5.24          return
    5.25  
     6.1 --- a/MoinMoin/action/Load.py	Fri Jun 04 00:08:29 2010 +0400
     6.2 +++ b/MoinMoin/action/Load.py	Fri Jun 04 00:13:24 2010 +0400
     6.3 @@ -108,7 +108,7 @@
     6.4      'upload_label_file': _('File to load page content from'),
     6.5      'upload_label_comment': _('Comment'),
     6.6      'upload_label_rename': _('Page Name'),
     6.7 -    'pagename': self.pagename,
     6.8 +    'pagename': wikiutil.escape(self.pagename, quote=1),
     6.9      'buttons_html': buttons_html,
    6.10      'action_name': self.form_trigger,
    6.11      'textcha': TextCha(self.request).render(),
     7.1 --- a/MoinMoin/action/RenamePage.py	Fri Jun 04 00:08:29 2010 +0400
     7.2 +++ b/MoinMoin/action/RenamePage.py	Fri Jun 04 00:13:24 2010 +0400
     7.3 @@ -80,7 +80,7 @@
     7.4      def get_form_html(self, buttons_html):
     7.5          _ = self._
     7.6          if self.subpages:
     7.7 -            subpages = ' '.join(self.subpages)
     7.8 +            subpages = ' '.join([wikiutil.escape(page) for page in self.subpages])
     7.9  
    7.10              d = {
    7.11                  'subpage': subpages,
     8.1 --- a/MoinMoin/action/backup.py	Fri Jun 04 00:08:29 2010 +0400
     8.2 +++ b/MoinMoin/action/backup.py	Fri Jun 04 00:13:24 2010 +0400
     8.3 @@ -114,7 +114,11 @@
     8.4      request.theme.send_footer(pagename)
     8.5      request.theme.send_closing_html()
     8.6  
     8.7 +# NOTE: consider using ActionBase.render_msg instead of this function.
     8.8  def sendMsg(request, pagename, msg, msgtype):
     8.9 +    """
    8.10 +    @param msg: Message to show. Should be escaped.
    8.11 +    """
    8.12      from MoinMoin import Page
    8.13      request.theme.add_msg(msg, msgtype)
    8.14      return Page.Page(request, pagename).send_page()
    8.15 @@ -140,4 +144,4 @@
    8.16          sendBackupForm(request, pagename)
    8.17      else:
    8.18          return sendMsg(request, pagename,
    8.19 -                       msg=_('Unknown backup subaction: %s.') % dowhat, msgtype="error")
    8.20 +                       msg=_('Unknown backup subaction: %s.') % wikiutil.escape(dowhat), msgtype="error")
     9.1 --- a/MoinMoin/action/chart.py	Fri Jun 04 00:08:29 2010 +0400
     9.2 +++ b/MoinMoin/action/chart.py	Fri Jun 04 00:13:24 2010 +0400
     9.3 @@ -6,6 +6,7 @@
     9.4                  2006 MoinMoin:ThomasWaldmann
     9.5      @license: GNU GPL, see COPYING for details.
     9.6  """
     9.7 +from MoinMoin import wikiutil
     9.8  from MoinMoin.util import pysupport
     9.9  
    9.10  def execute(pagename, request):
    9.11 @@ -27,7 +28,7 @@
    9.12      try:
    9.13          func = pysupport.importName("MoinMoin.stats.%s" % chart_type, 'draw')
    9.14      except (ImportError, AttributeError):
    9.15 -        request.theme.add_msg(_('Bad chart type "%s"!') % chart_type, "error")
    9.16 +        request.theme.add_msg(_('Bad chart type "%s"!') % wikiutil.escape(chart_type), "error")
    9.17          return request.page.send_page()
    9.18  
    9.19      func(pagename, request)
    10.1 --- a/MoinMoin/action/login.py	Fri Jun 04 00:08:29 2010 +0400
    10.2 +++ b/MoinMoin/action/login.py	Fri Jun 04 00:13:24 2010 +0400
    10.3 @@ -68,7 +68,7 @@
    10.4              if hasattr(request, '_login_messages'):
    10.5                  for msg in request._login_messages:
    10.6                      error.append('<p>')
    10.7 -                    error.append(msg)
    10.8 +                    error.append(wikiutil.escape(msg))
    10.9                  error = ''.join(error)
   10.10              request.theme.add_msg(error, "error")
   10.11              return self.page.send_page()
    11.1 --- a/MoinMoin/action/newaccount.py	Fri Jun 04 00:08:29 2010 +0400
    11.2 +++ b/MoinMoin/action/newaccount.py	Fri Jun 04 00:13:24 2010 +0400
    11.3 @@ -61,7 +61,7 @@
    11.4      if pw_checker:
    11.5          pw_error = pw_checker(theuser.name, password)
    11.6          if pw_error:
    11.7 -            return _("Password not acceptable: %s") % pw_error
    11.8 +            return _("Password not acceptable: %s") % wikiutil.escape(pw_error)
    11.9  
   11.10      # Encode password
   11.11      if password and not password.startswith('{SHA}'):
   11.12 @@ -69,7 +69,7 @@
   11.13              theuser.enc_password = user.encodePassword(password)
   11.14          except UnicodeError, err:
   11.15              # Should never happen
   11.16 -            return "Can't encode password: %s" % str(err)
   11.17 +            return "Can't encode password: %s" % wikiutil.escape(str(err))
   11.18  
   11.19      # try to get the email, for new users it is required
   11.20      email = wikiutil.clean_input(form.get('email', [''])[0])
    12.1 --- a/MoinMoin/action/recoverpass.py	Fri Jun 04 00:08:29 2010 +0400
    12.2 +++ b/MoinMoin/action/recoverpass.py	Fri Jun 04 00:13:24 2010 +0400
    12.3 @@ -175,7 +175,7 @@
    12.4              if pw_checker:
    12.5                  pw_error = pw_checker(name, newpass)
    12.6                  if pw_error:
    12.7 -                    msg = _("Password not acceptable: %s") % pw_error
    12.8 +                    msg = _("Password not acceptable: %s") % wikiutil.escape(pw_error)
    12.9              if not pw_error:
   12.10                  u = user.User(request, user.getUserId(request, name))
   12.11                  if u and u.valid and u.apply_recovery_token(token, newpass):
    13.1 --- a/MoinMoin/action/userprofile.py	Fri Jun 04 00:08:29 2010 +0400
    13.2 +++ b/MoinMoin/action/userprofile.py	Fri Jun 04 00:13:24 2010 +0400
    13.3 @@ -28,7 +28,7 @@
    13.4          oldval = getattr(theuser, key)
    13.5          setattr(theuser, key, val)
    13.6          theuser.save()
    13.7 -        request.theme.add_msg('%s.%s: %s -> %s' % (user_name, key, oldval, val), "info")
    13.8 +        request.theme.add_msg('%s.%s: %s -> %s' % tuple([wikiutil.escape(s) for s in [user_name, key, oldval, val]]), "info")
    13.9  
   13.10      Page(request, pagename).send_page()
   13.11