view MoinMoin/action/titleindex.py @ 5910:7e7e1cbb9d3f

security: fix remote code execution vulnerability in twikidraw/anywikidraw actions We have wikiutil.taintfilename() to make user supplied filenames safe, so that they can't contain any "special" characters like path separators, etc. It is used at many places in moin, but wasn't used here. :|
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 29 Dec 2012 15:05:29 +0100
parents 5ad5753ae311
children
line wrap: on
line source
# -*- coding: iso-8859-1 -*-
"""
    MoinMoin - "titleindex" action

    This action generates a plain list of pages, so that other wikis
    can implement http://www.usemod.com/cgi-bin/mb.pl?MetaWiki more
    easily.

    @copyright: 2001 Juergen Hermann <jh@web.de>
    @license: GNU GPL, see COPYING for details.
"""

from MoinMoin import config, util


def execute(pagename, request):
    # get the MIME type
    mimetype = request.values.get('mimetype', "text/plain")
    request.mimetype = mimetype

    # Get list of user readable pages
    pages = request.rootpage.getPageList()
    pages.sort()

    if mimetype == "text/xml":
        request.write('<?xml version="1.0" encoding="%s"?>\r\n' % (config.charset, ))
        request.write('<TitleIndex>\r\n')
        for name in pages:
            request.write('  <Title>%s</Title>\r\n' % (util.TranslateCDATA(name), ))
        request.write('</TitleIndex>\r\n')
    else:
        for name in pages:
            request.write(name+'\r\n')