Mercurial > moin > 1.9
changeset 3834:27ddf6dfa7bd
XSS security fix for advanced search form: added escaping (thanks to Emanuele Gentili from Ubuntu for discovering the problem) (ported from 1.7)
| author | Thomas Waldmann <tw AT waldmann-edv DOT de> |
|---|---|
| date | Sun, 13 Jul 2008 18:56:55 +0200 |
| parents | 712e5938ec59 |
| children | 9e960a76d2c8 |
| files | MoinMoin/macro/AdvancedSearch.py |
| diffstat | 1 files changed, 18 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/MoinMoin/macro/AdvancedSearch.py Sat Jul 12 15:53:01 2008 +0200 +++ b/MoinMoin/macro/AdvancedSearch.py Sun Jul 13 18:56:55 2008 +0200 @@ -38,14 +38,18 @@ return pages -def form_get(request, name, default=''): +def form_get(request, name, default='', escaped=False): """ Fetches a form field @param request: current request @param name: name of the field - @keyword default: value if not present (default: '') + @param default: value if not present (default: '') + @param escaped: if True, escape value so it can be used for html generation (default: False) """ - return request.form.get(name, [default])[0] + value = request.form.get(name, [default])[0] + if escaped: + value = wikiutil.escape(value, quote=True) + return value def advanced_ui(macro): @@ -77,20 +81,20 @@ ]) for txt, input_field in ( (_('containing all the following terms'), '<input type="text" name="and_terms" size="30" value="%s">' - % (form_get(request, 'and_terms') or form_get(request, 'value'))), + % (form_get(request, 'and_terms', escaped=True) or form_get(request, 'value', escaped=True))), (_('containing one or more of the following terms'), '<input type="text" name="or_terms" size="30" value="%s">' - % form_get(request, 'or_terms')), + % form_get(request, 'or_terms', escaped=True)), (_('not containing the following terms'), '<input type="text" name="not_terms" size="30" value="%s">' - % form_get(request, 'not_terms')), + % form_get(request, 'not_terms', escaped=True)), #('containing only one of the following terms', # '<input type="text" name="xor_terms" size="30" value="%s">' - # % form_get(request, 'xor_terms')), + # % form_get(request, 'xor_terms', escaped=True)), # TODO: dropdown-box? (_('last modified since (e.g. last 2 weeks)'), '<input type="text" name="mtime" size="30" value="%s">' - % form_get(request, 'mtime')), + % form_get(request, 'mtime', escaped=True)), )]) ]) @@ -136,22 +140,23 @@ (_('Language'), unicode(lang_select), ''), (_('File Type'), unicode(mt_select), ''), ('', html.INPUT(type='checkbox', name='titlesearch', - value='1', checked=form_get(request, 'titlesearch'), + value='1', checked=form_get(request, 'titlesearch', escaped=True), id='titlesearch'), '<label for="titlesearch">%s</label>' % _('Search only in titles')), ('', html.INPUT(type='checkbox', name='case', value='1', - checked=form_get(request, 'case'), id='case'), + checked=form_get(request, 'case', escaped=True), + id='case'), '<label for="case">%s</label>' % _('Case-sensitive search')), ('', html.INPUT(type='checkbox', name='excludeunderlay', - value='1', checked=form_get(request, 'excludeunderlay'), + value='1', checked=form_get(request, 'excludeunderlay', escaped=True), id='excludeunderlay'), '<label for="excludeunderlay">%s</label>' % _('Exclude underlay')), ('', html.INPUT(type='checkbox', name='nosystemitems', - value='1', checked=form_get(request, 'nosystemitems'), + value='1', checked=form_get(request, 'nosystemitems', escaped=True), id='nosystempages'), '<label for="nosystempages">%s</label>' % _('No system items')), ('', html.INPUT(type='checkbox', name='historysearch', - value='1', checked=form_get(request, 'historysearch'), + value='1', checked=form_get(request, 'historysearch', escaped=True), disabled=(not request.cfg.xapian_search or not request.cfg.xapian_index_history), id='historysearch'),