comparison MoinMoin/action/AttachFile.py @ 5098:ff588e9e24d6

simplify getAttachUrl: remove upload parameter upload=x didn't influence drawing url generation at all, for file url generation one can just give do='upload_form' if one wants the upload url. URL args for do='upload_form' were streamlined to use target=x instead of rename=x so it is more similar to the other code. Removed test for "tainted" file names in URLs. We must not "taint" file names for URLs. Filenames in URLs need to be url-quoted. If a URL is used in html, it needs to be escaped.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 13 Sep 2009 00:06:04 +0200
parents 6024628e8d60
children d8ccac2f24c5
comparison
equal deleted inserted replaced
5096:c8ea1985d348 5098:ff588e9e24d6
80 if len(pieces) == 1: 80 if len(pieces) == 1:
81 return pagename, pieces[0] 81 return pagename, pieces[0]
82 else: 82 else:
83 return u"/".join(pieces[:-1]), pieces[-1] 83 return u"/".join(pieces[:-1]), pieces[-1]
84 84
85 def getAttachUrl(pagename, filename, request, addts=0, escaped=0, do='get', drawing='', upload=False): 85 def getAttachUrl(pagename, filename, request, addts=0, escaped=0, do='get', drawing=''):
86 """ Get URL that points to attachment `filename` of page `pagename`. """ 86 """ Get URL that points to attachment `filename` of page `pagename`.
87 For upload url (files, not drawings), call with do='upload_form'.
88 """
87 if not drawing: 89 if not drawing:
88 if upload: 90 url = request.href(pagename, action=action_name, do=do, target=filename)
89 url = request.href(pagename, action=action_name, rename=wikiutil.taintfilename(filename))
90 else:
91 url = request.href(pagename, action=action_name, do=do, target=filename)
92 else: 91 else:
93 url = request.href(pagename, action=request.cfg.drawing_action, target=drawing) 92 url = request.href(pagename, action=request.cfg.drawing_action, target=drawing)
94 return url 93 return url
95 94
96 95
414 request.write(""" 413 request.write("""
415 <form action="%(url)s" method="POST" enctype="multipart/form-data"> 414 <form action="%(url)s" method="POST" enctype="multipart/form-data">
416 <dl> 415 <dl>
417 <dt>%(upload_label_file)s</dt> 416 <dt>%(upload_label_file)s</dt>
418 <dd><input type="file" name="file" size="50"></dd> 417 <dd><input type="file" name="file" size="50"></dd>
419 <dt>%(upload_label_rename)s</dt> 418 <dt>%(upload_label_target)s</dt>
420 <dd><input type="text" name="rename" size="50" value="%(rename)s"></dd> 419 <dd><input type="text" name="target" size="50" value="%(target)s"></dd>
421 <dt>%(upload_label_overwrite)s</dt> 420 <dt>%(upload_label_overwrite)s</dt>
422 <dd><input type="checkbox" name="overwrite" value="1" %(overwrite_checked)s></dd> 421 <dd><input type="checkbox" name="overwrite" value="1" %(overwrite_checked)s></dd>
423 </dl> 422 </dl>
424 %(textcha)s 423 %(textcha)s
425 <p> 424 <p>
430 </form> 429 </form>
431 """ % { 430 """ % {
432 'url': request.href(pagename), 431 'url': request.href(pagename),
433 'action_name': action_name, 432 'action_name': action_name,
434 'upload_label_file': _('File to upload'), 433 'upload_label_file': _('File to upload'),
435 'upload_label_rename': _('Rename to'), 434 'upload_label_target': _('Rename to'),
436 'rename': wikiutil.escape(request.values.get('rename', ''), 1), 435 'target': wikiutil.escape(request.values.get('target', ''), 1),
437 'upload_label_overwrite': _('Overwrite existing attachment of same name'), 436 'upload_label_overwrite': _('Overwrite existing attachment of same name'),
438 'overwrite_checked': ('', 'checked')[request.form.get('overwrite', '0') == '1'], 437 'overwrite_checked': ('', 'checked')[request.form.get('overwrite', '0') == '1'],
439 'upload_button': _('Upload'), 438 'upload_button': _('Upload'),
440 'textcha': TextCha(request).render(), 439 'textcha': TextCha(request).render(),
441 }) 440 })
508 return _('You are not allowed to attach a file to this page.') 507 return _('You are not allowed to attach a file to this page.')
509 508
510 if overwrite and not request.user.may.delete(pagename): 509 if overwrite and not request.user.may.delete(pagename):
511 return _('You are not allowed to overwrite a file attachment of this page.') 510 return _('You are not allowed to overwrite a file attachment of this page.')
512 511
513 rename = form.get('rename', u'').strip() 512 target = form.get('target', u'').strip()
514 if rename: 513 if not target:
515 target = rename
516 else:
517 target = file_upload.filename or u'' 514 target = file_upload.filename or u''
518 515
519 target = wikiutil.clean_input(target) 516 target = wikiutil.clean_input(target)
520 517
521 if not target: 518 if not target: