changeset 6122:3bddf075fdbd

security: fix XSS in GUI editor's link dialogue CVE-2016-9119
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 31 Oct 2016 20:34:11 +0100
parents 1563d6db198c
children 8537503261b1
files MoinMoin/action/fckdialog.py
diffstat 1 files changed, 5 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/fckdialog.py	Fri Oct 28 21:33:38 2016 +0200
+++ b/MoinMoin/action/fckdialog.py	Mon Oct 31 20:34:11 2016 +0100
@@ -198,7 +198,7 @@
 </table>
 </body>
 </html>
-''' % "".join(["<option>%s</option>\n" % p for p in pages]))
+''' % "".join(["<option>%s</option>\n" % wikiutil.escape(p) for p in pages]))
 
 def link_dialog(request):
     # list of wiki pages
@@ -219,7 +219,7 @@
            </select>
           <td>
          </tr>
-''' % "\n".join(['<option value="%s">%s</option>' % (page, page)
+''' % "\n".join(['<option value="%s">%s</option>' % (wikiutil.escape(page), wikiutil.escape(page))
                  for page in pages])
     else:
         page_list = ""
@@ -237,13 +237,14 @@
     else:
         resultlist = iwpreferred[:-1]
     interwiki = "\n".join(
-        ['<option value="%s">%s</option>' % (key, key) for key in resultlist])
+        ['<option value="%s">%s</option>' % (wikiutil.escape(key), wikiutil.escape(key))
+         for key in resultlist])
 
     # wiki url
     url_prefix_static = request.cfg.url_prefix_static
     scriptname = request.script_root + '/'
     action = scriptname
-    basepage = request.page.page_name
+    basepage = wikiutil.escape(request.page.page_name)
     request.write(u'''
 <!--
  * FCKeditor - The text editor for internet