changeset 1987:07aff6369476

merged main
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 09 Apr 2007 22:06:33 +0200
parents 3475126f78c6 (current diff) eb5328be394e (diff)
children dbf2b7426385
files MoinMoin/action/AttachFile.py
diffstat 3 files changed, 13 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Mon Apr 09 22:06:09 2007 +0200
+++ b/MoinMoin/action/AttachFile.py	Mon Apr 09 22:06:33 2007 +0200
@@ -305,6 +305,7 @@
         label_install = _("install")
 
         for file in files:
+            mt = wikiutil.MimeType(filename=file)
             st = os.stat(os.path.join(attach_dir, file).encode(config.charset))
             fsize = "%.1f" % (float(st.st_size) / 1024)
             fmtime = request.user.getFormattedDateTime(st.st_mtime)
@@ -342,11 +343,11 @@
             else:
                 viewlink = '<a href="%(baseurl)s/%(urlpagename)s?action=%(action)s&amp;do=view&amp;target=%(urlfile)s">%(label_view)s</a>' % parmdict
 
-            if (packages.ZipPackage(request, os.path.join(attach_dir, file).encode(config.charset)).isPackage() and
+            if (packages.ZipPackage(request, os.path.join(attach_dir, file).encode(config.charset)).isPackage() and mt.minor == 'zip' and
                 request.user.isSuperUser()):
                 viewlink += ' | <a href="%(baseurl)s/%(urlpagename)s?action=%(action)s&amp;do=install&amp;target=%(urlfile)s">%(label_install)s</a>' % parmdict
             elif (zipfile.is_zipfile(os.path.join(attach_dir, file).encode(config.charset)) and
-                request.user.may.read(pagename) and request.user.may.delete(pagename)
+                mt.minor == 'zip' and request.user.may.read(pagename) and request.user.may.delete(pagename)
                 and request.user.may.write(pagename)):
                 viewlink += ' | <a href="%(baseurl)s/%(urlpagename)s?action=%(action)s&amp;do=unzip&amp;target=%(urlfile)s">%(label_unzip)s</a>' % parmdict
 
@@ -990,11 +991,11 @@
         return
 
     package = packages.ZipPackage(request, fpath)
-    if package.isPackage():
+    if package.isPackage() and mt.minor == 'zip':
         request.write("<pre><b>%s</b>\n%s</pre>" % (_("Package script:"), wikiutil.escape(package.getScript())))
         return
 
-    if zipfile.is_zipfile(fpath):
+    if zipfile.is_zipfile(fpath) and mt.minor == 'zip':
         zf = zipfile.ZipFile(fpath, mode='r')
         request.write("<pre>%-46s %19s %12s\n" % (_("File Name"), _("Modified")+" "*5, _("Size")))
         for zinfo in zf.filelist:
--- a/MoinMoin/config/multiconfig.py	Mon Apr 09 22:06:09 2007 +0200
+++ b/MoinMoin/config/multiconfig.py	Mon Apr 09 22:06:33 2007 +0200
@@ -328,7 +328,6 @@
     ]
 
     mimetypes_embed = [
-        'application/x-shockwave-flash',
         'application/x-dvi',
         'application/postscript',
         'application/pdf',
--- a/MoinMoin/macro/EmbedObject.py	Mon Apr 09 22:06:09 2007 +0200
+++ b/MoinMoin/macro/EmbedObject.py	Mon Apr 09 22:06:33 2007 +0200
@@ -173,10 +173,14 @@
             return _("Not supported mimetype of file: %s" % self.target)
 
         mime_type = "%s/%s" % (mt.major, mt.minor,)
-        if not mime_type in self.request.cfg.mimetypes_embed:
-            return "%s%s%s" % (self.macro.formatter.sysmsg(1),
-                               self.macro.formatter.text('Embedding of object by choosen formatter not possible'),
-                               self.macro.formatter.sysmsg(0))
+        dangerous = mime_type in self.request.cfg.mimetypes_xss_protect
+        
+        if not mime_type in self.request.cfg.mimetypes_embed or dangerous:
+            kw = {'src': url}
+            return "%s: %s%s%s" % (self.macro.formatter.text('Embedding of object by choosen formatter not possible'),
+                               self.macro.formatter.url(1, kw['src']),
+                               self.macro.formatter.text(self.target),
+                               self.macro.formatter.url(0))
 
         if self.alt is "":
             self.alt = "%(text)s %(mime_type)s" % {