view MoinMoin/action/ @ 5910:7e7e1cbb9d3f

security: fix remote code execution vulnerability in twikidraw/anywikidraw actions We have wikiutil.taintfilename() to make user supplied filenames safe, so that they can't contain any "special" characters like path separators, etc. It is used at many places in moin, but wasn't used here. :|
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 29 Dec 2012 15:05:29 +0100
parents e50b087c4572
line wrap: on
line source
# -*- coding: iso-8859-1 -*-
    MoinMoin - language_setup

    The superuser gets a table of language packages listed dependent on the selected language
    for installation.

    @copyright: 2009 MoinMoin:ReimarBauer,

    @license: GNU GPL, see COPYING for details.

from MoinMoin import i18n, packages, wikiutil
from MoinMoin.i18n import strings
i18n.strings = strings

from MoinMoin.action import AttachFile
from MoinMoin.util.dataset import TupleDataset, Column
from MoinMoin.widget.browser import DataBrowserWidget

def execute(pagename, request):
    _ = request.getText
    if not request.user or not request.user.isSuperUser():
        msg = _('Only superuser is allowed to use this action.')
        request.theme.add_msg(msg, "error")
        return ''
    fmt = request.html_formatter
    language_setup_page = 'LanguageSetup'
    not_translated_system_pages = ''
    files = AttachFile._get_files(request, language_setup_page)
    if not files:
        msg = _('No page packages found.')
        request.theme.add_msg(msg, "error")
        return ''
    wiki_languages = list(set([lang_file.split('--')[0] for lang_file in files]) - set(['']))

    lang = request.values.get('language') or 'English'
    target = request.values.get('target') or ''
    msg = ''
    # if target is given it tries to install the package.
    if target:
        dummy_pagename, dummy_target, targetpath = AttachFile._access_file(language_setup_page, request)
        package = packages.ZipPackage(request, targetpath)
        if package.isPackage():
            if package.installPackage():
                msg = _("Attachment '%(filename)s' installed.") % {'filename': target}
                msg = _("Installation of '%(filename)s' failed.") % {'filename': target}
            msg = _('The file %s is not a MoinMoin package file.') % target

    data = TupleDataset()
    data.columns = [
           Column('page package', label=_('page package')),
           Column('action', label=_('install')),

    label_install = _("install")
    for pageset_name in i18n.strings.pagesets:
        attachment = "" % (lang, pageset_name)
        # not_translated_system_pages are in english
        if attachment.endswith(not_translated_system_pages):
            attachment = ''
        install_link = ''
        querystr = {'action': 'language_setup', 'target': attachment, 'language': lang}
        if AttachFile.exists(request, language_setup_page, attachment):
            install_link =, label_install, querystr=querystr)
        data.addRow((pageset_name, install_link))

    table = DataBrowserWidget(request)
    page_table = ''.join(table.format(method='GET'))

    fmt = request.formatter
    lang_links = [, _lang,
                                        querystr={'action': 'language_setup',
                                                  'language': _lang,
                                                  'pageset': pageset_name, })
                  for _lang in wiki_languages]

    lang_selector = u''.join([fmt.paragraph(1), _("Choose:"), ' ', ' '.join(lang_links), fmt.paragraph(0)])

    title = _("Install language packs for '%s'") % wikiutil.escape(lang)
    request.theme.add_msg(msg, "info")
    request.theme.send_title(title,, pagename=pagename)