view MoinMoin/action/ @ 5910:7e7e1cbb9d3f

security: fix remote code execution vulnerability in twikidraw/anywikidraw actions We have wikiutil.taintfilename() to make user supplied filenames safe, so that they can't contain any "special" characters like path separators, etc. It is used at many places in moin, but wasn't used here. :|
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 29 Dec 2012 15:05:29 +0100
parents bf0b4b96dcb4
line wrap: on
line source
# -*- coding: iso-8859-1 -*-
    MoinMoin - set values in user profile

    @copyright: 2008 MoinMoin:ThomasWaldmann
    @license: GNU GPL, see COPYING for details.
from MoinMoin.Page import Page
from MoinMoin import user, wikiutil

def execute(pagename, request):
    """ set values in user profile """
    _ = request.getText
    cfg = request.cfg
    form = request.form

    if not request.user.isSuperUser():
        request.theme.add_msg(_("Only superuser is allowed to use this action."), "error")
    elif (request.method == 'POST' and
          wikiutil.checkTicket(request, form.get('ticket', ''))):
        user_name = form.get('name', '')
        key = form.get('key', '')
        val = form.get('val', '')
        if key in cfg.user_checkbox_fields:
            val = int(val)
        uid = user.getUserId(request, user_name)
        theuser = user.User(request, uid)
        oldval = getattr(theuser, key)
        setattr(theuser, key, val)
        request.theme.add_msg('%s.%s: %s -> %s' % tuple([wikiutil.escape(s) for s in [user_name, key, oldval, val]]), "info")

    Page(request, pagename).send_page()