comparison MoinMoin/action/AttachFile.py @ 2210:316bbfb37f2b

XSS fix for AttachFile 'do' parameter (ported from 1.5 repo)
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 14 May 2007 22:59:19 +0200
parents 1577663f6354
children 01f05e74aa9c 062b76cf8d48
comparison
equal deleted inserted replaced
2209:ebdcd00ce19d 2210:316bbfb37f2b
542 """ Main dispatcher for the 'AttachFile' action. 542 """ Main dispatcher for the 'AttachFile' action.
543 """ 543 """
544 _ = request.getText 544 _ = request.getText
545 545
546 msg = None 546 msg = None
547 do = request.form.get('do')
548 if do is not None:
549 do = do[0]
547 if action_name in request.cfg.actions_excluded: 550 if action_name in request.cfg.actions_excluded:
548 msg = _('File attachments are not allowed in this wiki!') 551 msg = _('File attachments are not allowed in this wiki!')
549 elif 'do' not in request.form: 552 elif 'do' not in request.form:
550 upload_form(pagename, request) 553 upload_form(pagename, request)
551 elif request.form['do'][0] == 'savedrawing': 554 elif do == 'savedrawing':
552 if request.user.may.write(pagename): 555 if request.user.may.write(pagename):
553 save_drawing(pagename, request) 556 save_drawing(pagename, request)
554 request.emit_http_headers() 557 request.emit_http_headers()
555 request.write("OK") 558 request.write("OK")
556 else: 559 else:
557 msg = _('You are not allowed to save a drawing on this page.') 560 msg = _('You are not allowed to save a drawing on this page.')
558 elif request.form['do'][0] == 'upload': 561 elif do == 'upload':
559 if request.user.may.write(pagename): 562 if request.user.may.write(pagename):
560 if 'file' in request.form: 563 if 'file' in request.form:
561 do_upload(pagename, request) 564 do_upload(pagename, request)
562 else: 565 else:
563 # This might happen when trying to upload file names 566 # This might happen when trying to upload file names
564 # with non-ascii characters on Safari. 567 # with non-ascii characters on Safari.
565 msg = _("No file content. Delete non ASCII characters from the file name and try again.") 568 msg = _("No file content. Delete non ASCII characters from the file name and try again.")
566 else: 569 else:
567 msg = _('You are not allowed to attach a file to this page.') 570 msg = _('You are not allowed to attach a file to this page.')
568 elif request.form['do'][0] == 'del': 571 elif do == 'del':
569 if request.user.may.delete(pagename): 572 if request.user.may.delete(pagename):
570 del_file(pagename, request) 573 del_file(pagename, request)
571 else: 574 else:
572 msg = _('You are not allowed to delete attachments on this page.') 575 msg = _('You are not allowed to delete attachments on this page.')
573 elif request.form['do'][0] == 'move': 576 elif do == 'move':
574 if request.user.may.delete(pagename): 577 if request.user.may.delete(pagename):
575 send_moveform(pagename, request) 578 send_moveform(pagename, request)
576 else: 579 else:
577 msg = _('You are not allowed to move attachments from this page.') 580 msg = _('You are not allowed to move attachments from this page.')
578 elif request.form['do'][0] == 'attachment_move': 581 elif do == 'attachment_move':
579 if 'cancel' in request.form: 582 if 'cancel' in request.form:
580 msg = _('Move aborted!') 583 msg = _('Move aborted!')
581 error_msg(pagename, request, msg) 584 error_msg(pagename, request, msg)
582 return 585 return
583 if not wikiutil.checkTicket(request, request.form['ticket'][0]): 586 if not wikiutil.checkTicket(request, request.form['ticket'][0]):
586 return 589 return
587 if request.user.may.delete(pagename): 590 if request.user.may.delete(pagename):
588 attachment_move(pagename, request) 591 attachment_move(pagename, request)
589 else: 592 else:
590 msg = _('You are not allowed to move attachments from this page.') 593 msg = _('You are not allowed to move attachments from this page.')
591 elif request.form['do'][0] == 'get': 594 elif do == 'get':
592 if request.user.may.read(pagename): 595 if request.user.may.read(pagename):
593 get_file(pagename, request) 596 get_file(pagename, request)
594 else: 597 else:
595 msg = _('You are not allowed to get attachments from this page.') 598 msg = _('You are not allowed to get attachments from this page.')
596 elif request.form['do'][0] == 'unzip': 599 elif do == 'unzip':
597 if request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename): 600 if request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename):
598 unzip_file(pagename, request) 601 unzip_file(pagename, request)
599 else: 602 else:
600 msg = _('You are not allowed to unzip attachments of this page.') 603 msg = _('You are not allowed to unzip attachments of this page.')
601 elif request.form['do'][0] == 'install': 604 elif do == 'install':
602 if request.user.isSuperUser(): 605 if request.user.isSuperUser():
603 install_package(pagename, request) 606 install_package(pagename, request)
604 else: 607 else:
605 msg = _('You are not allowed to install files.') 608 msg = _('You are not allowed to install files.')
606 elif request.form['do'][0] == 'view': 609 elif do == 'view':
607 if request.user.may.read(pagename): 610 if request.user.may.read(pagename):
608 view_file(pagename, request) 611 view_file(pagename, request)
609 else: 612 else:
610 msg = _('You are not allowed to view attachments of this page.') 613 msg = _('You are not allowed to view attachments of this page.')
611 else: 614 else:
612 msg = _('Unsupported upload action: %s') % (request.form['do'][0],) 615 msg = _('Unsupported upload action: %s') % (wikiutil.escape(do),)
613 616
614 if msg: 617 if msg:
615 error_msg(pagename, request, msg) 618 error_msg(pagename, request, msg)
616 619
617 def upload_form(pagename, request, msg=''): 620 def upload_form(pagename, request, msg=''):