diff MoinMoin/action/AttachFile.py @ 5098:ff588e9e24d6

simplify getAttachUrl: remove upload parameter upload=x didn't influence drawing url generation at all, for file url generation one can just give do='upload_form' if one wants the upload url. URL args for do='upload_form' were streamlined to use target=x instead of rename=x so it is more similar to the other code. Removed test for "tainted" file names in URLs. We must not "taint" file names for URLs. Filenames in URLs need to be url-quoted. If a URL is used in html, it needs to be escaped.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 13 Sep 2009 00:06:04 +0200
parents 6024628e8d60
children d8ccac2f24c5
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Sat Sep 12 21:42:55 2009 +0200
+++ b/MoinMoin/action/AttachFile.py	Sun Sep 13 00:06:04 2009 +0200
@@ -82,13 +82,12 @@
     else:
         return u"/".join(pieces[:-1]), pieces[-1]
 
-def getAttachUrl(pagename, filename, request, addts=0, escaped=0, do='get', drawing='', upload=False):
-    """ Get URL that points to attachment `filename` of page `pagename`. """
+def getAttachUrl(pagename, filename, request, addts=0, escaped=0, do='get', drawing=''):
+    """ Get URL that points to attachment `filename` of page `pagename`.
+        For upload url (files, not drawings), call with do='upload_form'.
+    """
     if not drawing:
-        if upload:
-            url = request.href(pagename, action=action_name, rename=wikiutil.taintfilename(filename))
-        else:
-            url = request.href(pagename, action=action_name, do=do, target=filename)
+        url = request.href(pagename, action=action_name, do=do, target=filename)
     else:
         url = request.href(pagename, action=request.cfg.drawing_action, target=drawing)
     return url
@@ -416,8 +415,8 @@
 <dl>
 <dt>%(upload_label_file)s</dt>
 <dd><input type="file" name="file" size="50"></dd>
-<dt>%(upload_label_rename)s</dt>
-<dd><input type="text" name="rename" size="50" value="%(rename)s"></dd>
+<dt>%(upload_label_target)s</dt>
+<dd><input type="text" name="target" size="50" value="%(target)s"></dd>
 <dt>%(upload_label_overwrite)s</dt>
 <dd><input type="checkbox" name="overwrite" value="1" %(overwrite_checked)s></dd>
 </dl>
@@ -432,8 +431,8 @@
     'url': request.href(pagename),
     'action_name': action_name,
     'upload_label_file': _('File to upload'),
-    'upload_label_rename': _('Rename to'),
-    'rename': wikiutil.escape(request.values.get('rename', ''), 1),
+    'upload_label_target': _('Rename to'),
+    'target': wikiutil.escape(request.values.get('target', ''), 1),
     'upload_label_overwrite': _('Overwrite existing attachment of same name'),
     'overwrite_checked': ('', 'checked')[request.form.get('overwrite', '0') == '1'],
     'upload_button': _('Upload'),
@@ -510,10 +509,8 @@
     if overwrite and not request.user.may.delete(pagename):
         return _('You are not allowed to overwrite a file attachment of this page.')
 
-    rename = form.get('rename', u'').strip()
-    if rename:
-        target = rename
-    else:
+    target = form.get('target', u'').strip()
+    if not target:
         target = file_upload.filename or u''
 
     target = wikiutil.clean_input(target)