changeset 3267:65be8803b8df

Attachfile.getAttachUrl: fixed upload tainting of rename
author Reimar Bauer <rb.proj AT googlemail DOT com>
date Sun, 16 Mar 2008 17:50:51 +0100
parents f62792cb2d24
children 753f234085c2
files MoinMoin/action/AttachFile.py MoinMoin/action/_tests/test_attachfile.py
diffstat 2 files changed, 13 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Sun Mar 16 17:35:30 2008 +0100
+++ b/MoinMoin/action/AttachFile.py	Sun Mar 16 17:50:51 2008 +0100
@@ -88,10 +88,10 @@
     if upload:
         if not drawing:
             url = attachUrl(request, pagename, filename,
-                            rename=filename, action=action_name)
+                            rename=wikiutil.taintfilename(filename), action=action_name)
         else:
             url = attachUrl(request, pagename, filename,
-                            rename=filename, drawing=drawing, action=action_name)
+                            rename=wikiutil.taintfilename(filename), drawing=drawing, action=action_name)
     else:
         if not drawing:
             url = attachUrl(request, pagename, filename,
--- a/MoinMoin/action/_tests/test_attachfile.py	Sun Mar 16 17:35:30 2008 +0100
+++ b/MoinMoin/action/_tests/test_attachfile.py	Sun Mar 16 17:50:51 2008 +0100
@@ -45,3 +45,14 @@
     shutil.rmtree(fpath, True)
 
     assert expect == result
+    
+def test_getAttachUrl(request):
+    """
+    Tests if AttachFile.getAttachUrl taints a filename
+    """
+    pagename = "ThisPageDoesOnlyExistForThisTest"
+    filename = "<test2.txt>"
+    expect = "rename=_test2.txt_&"
+    result = AttachFile.getAttachUrl(pagename, filename, request, upload=True)
+
+    assert expect in result