changeset 4699:5f51246a4df1

AttachFile XSS fixes: move escaping to error_msg / upload_form
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 18 Apr 2009 18:58:25 +0200
parents 903831e9eb77
children 269a1fbc3ed7
files MoinMoin/action/AttachFile.py
diffstat 1 files changed, 9 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Mon Apr 13 14:09:57 2009 +0200
+++ b/MoinMoin/action/AttachFile.py	Sat Apr 18 18:58:25 2009 +0200
@@ -387,6 +387,7 @@
 
 
 def error_msg(pagename, request, msg):
+    msg = wikiutil.escape(msg)
     request.theme.add_msg(msg, "error")
     Page(request, pagename).send_page()
 
@@ -512,7 +513,7 @@
     if handler:
         msg = handler(pagename, request)
     else:
-        msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), )
+        msg = _('Unsupported AttachFile sub-action: %s') % do[0]
     if msg:
         error_msg(pagename, request, msg)
 
@@ -522,6 +523,8 @@
 
 
 def upload_form(pagename, request, msg=''):
+    if msg:
+        msg = wikiutil.escape(msg)
     _ = request.getText
 
     request.emit_http_headers()
@@ -838,13 +841,13 @@
 
     if package.isPackage():
         if package.installPackage():
-            msg = _("Attachment '%(filename)s' installed.") % {'filename': wikiutil.escape(target)}
+            msg = _("Attachment '%(filename)s' installed.") % {'filename': target}
         else:
-            msg = _("Installation of '%(filename)s' failed.") % {'filename': wikiutil.escape(target)}
+            msg = _("Installation of '%(filename)s' failed.") % {'filename': target}
         if package.msg:
-            msg += "<br><pre>%s</pre>" % wikiutil.escape(package.msg)
+            msg += " " + package.msg
     else:
-        msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target)
+        msg = _('The file %s is not a MoinMoin package file.') % target
 
     upload_form(pagename, request, msg=msg)
 
@@ -948,7 +951,7 @@
         logging.exception("An exception within zip file attachment handling occurred:")
         msg = _("A severe error occurred:") + ' ' + str(err)
 
-    upload_form(pagename, request, msg=wikiutil.escape(msg))
+    upload_form(pagename, request, msg=msg)
 
 
 def send_viewfile(pagename, request):