changeset 5912:3c27131a3c52

security: fix path traversal vulnerability in AttachFile action
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 29 Dec 2012 18:19:25 +0100
parents ef1bee86328f
children f2fb4b3ed8e5
files MoinMoin/action/AttachFile.py
diffstat 1 files changed, 16 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Sat Dec 29 17:13:39 2012 +0100
+++ b/MoinMoin/action/AttachFile.py	Sat Dec 29 18:19:25 2012 +0100
@@ -678,6 +678,18 @@
 
 
 def move_file(request, pagename, new_pagename, attachment, new_attachment):
+    """
+    move a file attachment from pagename:attachment to new_pagename:new_attachment
+
+    @param pagename: original pagename
+    @param new_pagename: new pagename (may be same as original pagename)
+    @param attachment: original attachment filename
+                       note: attachment filename must not contain a path,
+                             use wikiutil.taintfilename() before calling move_file
+    @param new_attachment: new attachment filename (may be same as original filename)
+                       note: attachment filename must not contain a path,
+                             use wikiutil.taintfilename() before calling move_file
+    """
     _ = request.getText
 
     newpage = Page(request, new_pagename)
@@ -740,6 +752,10 @@
         upload_form(pagename, request, msg=_("Move aborted because new attachment name is empty."))
 
     attachment = request.form.get('oldattachmentname')
+    if attachment != wikiutil.taintfilename(attachment):
+        upload_form(pagename, request, msg=_("Please use a valid filename for attachment '%(filename)s'.") % {
+                              'filename': attachment})
+        return
     move_file(request, pagename, new_pagename, attachment, new_attachment)