changeset 1075:2ecd1e6c084d

Fixed security issues in MoinMoin.user (do not reveal the ID), added variable hiding to cgitb.
author Alexander Schremmer <alex AT alexanderweb DOT de>
date Tue, 25 Jul 2006 13:18:30 +0200
parents 40b708ecc332
children 8c8b63ad1d17 d5cb04aab48d
files MoinMoin/support/cgitb.py MoinMoin/user.py docs/CHANGES.aschremmer
diffstat 3 files changed, 23 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/support/cgitb.py	Tue Jul 25 11:26:02 2006 +0200
+++ b/MoinMoin/support/cgitb.py	Tue Jul 25 13:18:30 2006 +0200
@@ -70,6 +70,11 @@
 __UNDEF__ = [] # a special sentinel object
 
 
+class HiddenObject:
+    def __repr__(self):
+        return "<HIDDEN>"
+HiddenObject = HiddenObject()
+
 class HTMLFormatter:
     """ Minimal html formatter """
     
@@ -295,7 +300,10 @@
             if ttype == tokenize.NAME and token not in keyword.kwlist:
                 if lasttoken == '.':
                     if parent is not __UNDEF__:
-                        value = getattr(parent, token, __UNDEF__)
+                        if self.unsafe_name(token):
+                            value = HiddenObject
+                        else:
+                            value = getattr(parent, token, __UNDEF__)
                         vars.append((prefix + token, prefix, value))
                 else:
                     where, value = self.lookup(token)
@@ -324,8 +332,12 @@
                 value = builtins.get(name, __UNDEF__)
             else:
                 value = getattr(builtins, name, __UNDEF__)
+        if self.unsafe_name(name):
+            value = HiddenObject
         return scope, value
 
+    def unsafe_name(self, name):
+        return name in self.frame.f_globals.get("unsafe_names", ())
 
 class View:
     """ Traceback view """
--- a/MoinMoin/user.py	Tue Jul 25 11:26:02 2006 +0200
+++ b/MoinMoin/user.py	Tue Jul 25 13:18:30 2006 +0200
@@ -6,6 +6,9 @@
     @license: GNU GPL, see COPYING for details.
 """
 
+# add names here to hide them in the cgitb traceback
+unsafe_names = ("id", "key", "val", "user_data", "enc_password")
+
 import os, time, sha, codecs
 
 try:
@@ -289,9 +292,9 @@
             self.language = 'en'
 
     def __repr__(self):
-        return "<%s.%s at 0x%x name:%r id:%s valid:%r>" % (
+        return "<%s.%s at 0x%x name:%r valid:%r>" % (
             self.__class__.__module__, self.__class__.__name__,
-            id(self), self.name, self.id, self.valid)
+            id(self), self.name, self.valid)
 
     def make_id(self):
         """ make a new unique user id """
--- a/docs/CHANGES.aschremmer	Tue Jul 25 11:26:02 2006 +0200
+++ b/docs/CHANGES.aschremmer	Tue Jul 25 13:18:30 2006 +0200
@@ -30,8 +30,11 @@
 
   Bugfixes (only stuff that is buggy in moin/1.6 main branch):
     * Conflict resolution fixes. (merged into main)
-    * Python 2.5 compatibility fixes in the Page caching logic
-    * sre pickle issues in the wikidicts code
+    * Python 2.5 compatibility fixes in the Page caching logic (merged)
+    * sre pickle issues in the wikidicts code (merged)
+    * cgitb can hide particular names, this avoids information leaks
+      if the user files cannot be parsed for example
+    * Fixed User.__repr__ - it is insane to put the ID in there
 
   Other Changes:
     * Refactored conflict resolution and XMLRPC code.