XSS security fix for advanced search form: added escaping (thanks to Emanuele Gentili from Ubuntu for discovering the problem)
1.1 --- a/MoinMoin/macro/AdvancedSearch.py Fri Jul 11 13:04:13 2008 +0200
1.2 +++ b/MoinMoin/macro/AdvancedSearch.py Sun Jul 13 18:39:59 2008 +0200
1.3 @@ -38,14 +38,18 @@
1.4 return pages
1.5
1.6
1.7 -def form_get(request, name, default=''):
1.8 +def form_get(request, name, default='', escaped=False):
1.9 """ Fetches a form field
1.10
1.11 @param request: current request
1.12 @param name: name of the field
1.13 - @keyword default: value if not present (default: '')
1.14 + @param default: value if not present (default: '')
1.15 + @param escaped: if True, escape value so it can be used for html generation (default: False)
1.16 """
1.17 - return request.form.get(name, [default])[0]
1.18 + value = request.form.get(name, [default])[0]
1.19 + if escaped:
1.20 + value = wikiutil.escape(value, quote=True)
1.21 + return value
1.22
1.23
1.24 def advanced_ui(macro):
1.25 @@ -77,20 +81,20 @@
1.26 ]) for txt, input_field in (
1.27 (_('containing all the following terms'),
1.28 '<input type="text" name="and_terms" size="30" value="%s">'
1.29 - % (form_get(request, 'and_terms') or form_get(request, 'value'))),
1.30 + % (form_get(request, 'and_terms', escaped=True) or form_get(request, 'value', escaped=True))),
1.31 (_('containing one or more of the following terms'),
1.32 '<input type="text" name="or_terms" size="30" value="%s">'
1.33 - % form_get(request, 'or_terms')),
1.34 + % form_get(request, 'or_terms', escaped=True)),
1.35 (_('not containing the following terms'),
1.36 '<input type="text" name="not_terms" size="30" value="%s">'
1.37 - % form_get(request, 'not_terms')),
1.38 + % form_get(request, 'not_terms', escaped=True)),
1.39 #('containing only one of the following terms',
1.40 # '<input type="text" name="xor_terms" size="30" value="%s">'
1.41 - # % form_get(request, 'xor_terms')),
1.42 + # % form_get(request, 'xor_terms', escaped=True)),
1.43 # TODO: dropdown-box?
1.44 (_('last modified since (e.g. last 2 weeks)'),
1.45 '<input type="text" name="mtime" size="30" value="%s">'
1.46 - % form_get(request, 'mtime')),
1.47 + % form_get(request, 'mtime', escaped=True)),
1.48 )])
1.49 ])
1.50
1.51 @@ -136,22 +140,23 @@
1.52 (_('Language'), unicode(lang_select), ''),
1.53 (_('File Type'), unicode(mt_select), ''),
1.54 ('', html.INPUT(type='checkbox', name='titlesearch',
1.55 - value='1', checked=form_get(request, 'titlesearch'),
1.56 + value='1', checked=form_get(request, 'titlesearch', escaped=True),
1.57 id='titlesearch'),
1.58 '<label for="titlesearch">%s</label>' % _('Search only in titles')),
1.59 ('', html.INPUT(type='checkbox', name='case', value='1',
1.60 - checked=form_get(request, 'case'), id='case'),
1.61 + checked=form_get(request, 'case', escaped=True),
1.62 + id='case'),
1.63 '<label for="case">%s</label>' % _('Case-sensitive search')),
1.64 ('', html.INPUT(type='checkbox', name='excludeunderlay',
1.65 - value='1', checked=form_get(request, 'excludeunderlay'),
1.66 + value='1', checked=form_get(request, 'excludeunderlay', escaped=True),
1.67 id='excludeunderlay'),
1.68 '<label for="excludeunderlay">%s</label>' % _('Exclude underlay')),
1.69 ('', html.INPUT(type='checkbox', name='nosystemitems',
1.70 - value='1', checked=form_get(request, 'nosystemitems'),
1.71 + value='1', checked=form_get(request, 'nosystemitems', escaped=True),
1.72 id='nosystempages'),
1.73 '<label for="nosystempages">%s</label>' % _('No system items')),
1.74 ('', html.INPUT(type='checkbox', name='historysearch',
1.75 - value='1', checked=form_get(request, 'historysearch'),
1.76 + value='1', checked=form_get(request, 'historysearch', escaped=True),
1.77 disabled=(not request.cfg.xapian_search or
1.78 not request.cfg.xapian_index_history),
1.79 id='historysearch'),