comparison MoinMoin/action/AttachFile.py @ 5910:7e7e1cbb9d3f

security: fix remote code execution vulnerability in twikidraw/anywikidraw actions We have wikiutil.taintfilename() to make user supplied filenames safe, so that they can't contain any "special" characters like path separators, etc. It is used at many places in moin, but wasn't used here. :|
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 29 Dec 2012 15:05:29 +0100
parents b9450db6c129
children 3c27131a3c52
comparison
equal deleted inserted replaced
5909:671124d91dc1 5910:7e7e1cbb9d3f
601 601
602 class ContainerItem: 602 class ContainerItem:
603 """ A storage container (multiple objects in 1 tarfile) """ 603 """ A storage container (multiple objects in 1 tarfile) """
604 604
605 def __init__(self, request, pagename, containername): 605 def __init__(self, request, pagename, containername):
606 """
607 @param pagename: a wiki page name
608 @param containername: the filename of the tar file.
609 Make sure this is a simple filename, NOT containing any path components.
610 Use wikiutil.taintfilename() to avoid somebody giving a container
611 name that starts with e.g. ../../filename or you'll create a
612 directory traversal and code execution vulnerability.
613 """
606 self.request = request 614 self.request = request
607 self.pagename = pagename 615 self.pagename = pagename
608 self.containername = containername 616 self.containername = containername
609 self.container_filename = getFilename(request, pagename, containername) 617 self.container_filename = getFilename(request, pagename, containername)
610 618