changeset 3308:6eb96b8664b0

security fix: check the ACL of the included page when using the rst parser's include directive
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Tue, 18 Mar 2008 20:58:57 +0100
parents f4212fb5ecb0
children 4c14c613e275 e66f55d0076d
files MoinMoin/parser/text_rst.py
diffstat 1 files changed, 13 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/parser/text_rst.py	Tue Mar 18 19:43:45 2008 +0100
+++ b/MoinMoin/parser/text_rst.py	Tue Mar 18 20:58:57 2008 +0100
@@ -562,17 +562,20 @@
             return
 
         if len(content):
-            page = Page(page_name=content[0], request=self.request)
-            if page.exists():
-                text = page.get_raw_body()
-                lines = text.split('\n')
-                # Remove the "#format rst" line
-                if lines[0].startswith("#format"):
-                    del lines[0]
+            pagename = content[0]
+            page = Page(page_name=pagename, request=self.request)
+            if not self.request.user.may.read(pagename):
+                lines = [_("**You are not allowed to read the page: %s**") % (pagename, )]
             else:
-                lines = [_("**Could not find the referenced page: %s**") % (content[0], )]
-            # Insert the text from the included document and then continue
-            # parsing
+                if page.exists():
+                    text = page.get_raw_body()
+                    lines = text.split('\n')
+                    # Remove the "#format rst" line
+                    if lines[0].startswith("#format"):
+                        del lines[0]
+                else:
+                    lines = [_("**Could not find the referenced page: %s**") % (pagename, )]
+            # Insert the text from the included document and then continue parsing
             state_machine.insert_input(lines, 'MoinDirectives')
         return