XSS security fix for advanced search form: added escaping (thanks to Emanuele Gentili from Ubuntu for discovering the problem)
authorThomas Waldmann <tw AT waldmann-edv DOT de>
Sun, 13 Jul 2008 18:39:59 +0200
changeset 3746383196922b03
parent 3745 a53e20c3ebab
child 3747 85f1d2d650e5
XSS security fix for advanced search form: added escaping (thanks to Emanuele Gentili from Ubuntu for discovering the problem)
MoinMoin/macro/AdvancedSearch.py
     1.1 --- a/MoinMoin/macro/AdvancedSearch.py	Fri Jul 11 13:04:13 2008 +0200
     1.2 +++ b/MoinMoin/macro/AdvancedSearch.py	Sun Jul 13 18:39:59 2008 +0200
     1.3 @@ -38,14 +38,18 @@
     1.4      return pages
     1.5  
     1.6  
     1.7 -def form_get(request, name, default=''):
     1.8 +def form_get(request, name, default='', escaped=False):
     1.9      """ Fetches a form field
    1.10  
    1.11      @param request: current request
    1.12      @param name: name of the field
    1.13 -    @keyword default: value if not present (default: '')
    1.14 +    @param default: value if not present (default: '')
    1.15 +    @param escaped: if True, escape value so it can be used for html generation (default: False)
    1.16      """
    1.17 -    return request.form.get(name, [default])[0]
    1.18 +    value = request.form.get(name, [default])[0]
    1.19 +    if escaped:
    1.20 +        value = wikiutil.escape(value, quote=True)
    1.21 +    return value
    1.22  
    1.23  
    1.24  def advanced_ui(macro):
    1.25 @@ -77,20 +81,20 @@
    1.26          ]) for txt, input_field in (
    1.27              (_('containing all the following terms'),
    1.28                  '<input type="text" name="and_terms" size="30" value="%s">'
    1.29 -                % (form_get(request, 'and_terms') or form_get(request, 'value'))),
    1.30 +                % (form_get(request, 'and_terms', escaped=True) or form_get(request, 'value', escaped=True))),
    1.31              (_('containing one or more of the following terms'),
    1.32                  '<input type="text" name="or_terms" size="30" value="%s">'
    1.33 -                % form_get(request, 'or_terms')),
    1.34 +                % form_get(request, 'or_terms', escaped=True)),
    1.35              (_('not containing the following terms'),
    1.36                  '<input type="text" name="not_terms" size="30" value="%s">'
    1.37 -                % form_get(request, 'not_terms')),
    1.38 +                % form_get(request, 'not_terms', escaped=True)),
    1.39              #('containing only one of the following terms',
    1.40              #    '<input type="text" name="xor_terms" size="30" value="%s">'
    1.41 -            #    % form_get(request, 'xor_terms')),
    1.42 +            #    % form_get(request, 'xor_terms', escaped=True)),
    1.43              # TODO: dropdown-box?
    1.44              (_('last modified since (e.g. last 2 weeks)'),
    1.45                  '<input type="text" name="mtime" size="30" value="%s">'
    1.46 -                % form_get(request, 'mtime')),
    1.47 +                % form_get(request, 'mtime', escaped=True)),
    1.48          )])
    1.49      ])
    1.50  
    1.51 @@ -136,22 +140,23 @@
    1.52                  (_('Language'), unicode(lang_select), ''),
    1.53                  (_('File Type'), unicode(mt_select), ''),
    1.54                  ('', html.INPUT(type='checkbox', name='titlesearch',
    1.55 -                    value='1', checked=form_get(request, 'titlesearch'),
    1.56 +                    value='1', checked=form_get(request, 'titlesearch', escaped=True),
    1.57                      id='titlesearch'),
    1.58                      '<label for="titlesearch">%s</label>' % _('Search only in titles')),
    1.59                  ('', html.INPUT(type='checkbox', name='case', value='1',
    1.60 -                    checked=form_get(request, 'case'), id='case'),
    1.61 +                    checked=form_get(request, 'case', escaped=True),
    1.62 +                    id='case'),
    1.63                      '<label for="case">%s</label>' % _('Case-sensitive search')),
    1.64                  ('', html.INPUT(type='checkbox', name='excludeunderlay',
    1.65 -                    value='1', checked=form_get(request, 'excludeunderlay'),
    1.66 +                    value='1', checked=form_get(request, 'excludeunderlay', escaped=True),
    1.67                      id='excludeunderlay'),
    1.68                      '<label for="excludeunderlay">%s</label>' % _('Exclude underlay')),
    1.69                  ('', html.INPUT(type='checkbox', name='nosystemitems',
    1.70 -                    value='1', checked=form_get(request, 'nosystemitems'),
    1.71 +                    value='1', checked=form_get(request, 'nosystemitems', escaped=True),
    1.72                      id='nosystempages'),
    1.73                      '<label for="nosystempages">%s</label>' % _('No system items')),
    1.74                  ('', html.INPUT(type='checkbox', name='historysearch',
    1.75 -                    value='1', checked=form_get(request, 'historysearch'),
    1.76 +                    value='1', checked=form_get(request, 'historysearch', escaped=True),
    1.77                      disabled=(not request.cfg.xapian_search or
    1.78                          not request.cfg.xapian_index_history),
    1.79                      id='historysearch'),