changeset 6121:1563d6db198c

security: fix XSS in GUI editor's attachment dialogue CVE-2016-7146
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Fri, 28 Oct 2016 21:33:38 +0200
parents eceb70c41ecc
children 3bddf075fdbd
files MoinMoin/action/fckdialog.py
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/fckdialog.py	Fri Oct 28 21:30:38 2016 +0200
+++ b/MoinMoin/action/fckdialog.py	Fri Oct 28 21:33:38 2016 +0200
@@ -381,7 +381,7 @@
     requestedPagename = wikiutil.escape(request.values.get("requestedPagename", ""), quote=True)
     destinationPagename = wikiutil.escape(request.values.get("destinationPagename", request.page.page_name), quote=True)
 
-    attachmentsPagename = requestedPagename or request.page.page_name
+    attachmentsPagename = requestedPagename or wikiutil.escape(request.page.page_name)
     attachments = _get_files(request, attachmentsPagename)
     attachments.sort()
     attachmentList = '''