security: fix path traversal vulnerability in AttachFile action
authorThomas Waldmann <tw AT waldmann-edv DOT de>
Sat, 29 Dec 2012 18:19:25 +0100
changeset 59123c27131a3c52
parent 5911 ef1bee86328f
child 5913 f2fb4b3ed8e5
security: fix path traversal vulnerability in AttachFile action
MoinMoin/action/AttachFile.py
     1.1 --- a/MoinMoin/action/AttachFile.py	Sat Dec 29 17:13:39 2012 +0100
     1.2 +++ b/MoinMoin/action/AttachFile.py	Sat Dec 29 18:19:25 2012 +0100
     1.3 @@ -678,6 +678,18 @@
     1.4  
     1.5  
     1.6  def move_file(request, pagename, new_pagename, attachment, new_attachment):
     1.7 +    """
     1.8 +    move a file attachment from pagename:attachment to new_pagename:new_attachment
     1.9 +
    1.10 +    @param pagename: original pagename
    1.11 +    @param new_pagename: new pagename (may be same as original pagename)
    1.12 +    @param attachment: original attachment filename
    1.13 +                       note: attachment filename must not contain a path,
    1.14 +                             use wikiutil.taintfilename() before calling move_file
    1.15 +    @param new_attachment: new attachment filename (may be same as original filename)
    1.16 +                       note: attachment filename must not contain a path,
    1.17 +                             use wikiutil.taintfilename() before calling move_file
    1.18 +    """
    1.19      _ = request.getText
    1.20  
    1.21      newpage = Page(request, new_pagename)
    1.22 @@ -740,6 +752,10 @@
    1.23          upload_form(pagename, request, msg=_("Move aborted because new attachment name is empty."))
    1.24  
    1.25      attachment = request.form.get('oldattachmentname')
    1.26 +    if attachment != wikiutil.taintfilename(attachment):
    1.27 +        upload_form(pagename, request, msg=_("Please use a valid filename for attachment '%(filename)s'.") % {
    1.28 +                              'filename': attachment})
    1.29 +        return
    1.30      move_file(request, pagename, new_pagename, attachment, new_attachment)
    1.31  
    1.32