security: fix remote code execution vulnerability in twikidraw/anywikidraw actions
authorThomas Waldmann <tw AT waldmann-edv DOT de>
Sat, 29 Dec 2012 15:05:29 +0100
changeset 59107e7e1cbb9d3f
parent 5909 671124d91dc1
child 5911 ef1bee86328f
security: fix remote code execution vulnerability in twikidraw/anywikidraw actions

We have wikiutil.taintfilename() to make user supplied filenames safe,
so that they can't contain any "special" characters like path separators, etc.
It is used at many places in moin, but wasn't used here. :|
MoinMoin/action/AttachFile.py
MoinMoin/action/anywikidraw.py
MoinMoin/action/twikidraw.py
     1.1 --- a/MoinMoin/action/AttachFile.py	Mon Dec 24 23:49:10 2012 +0100
     1.2 +++ b/MoinMoin/action/AttachFile.py	Sat Dec 29 15:05:29 2012 +0100
     1.3 @@ -603,6 +603,14 @@
     1.4      """ A storage container (multiple objects in 1 tarfile) """
     1.5  
     1.6      def __init__(self, request, pagename, containername):
     1.7 +        """
     1.8 +        @param pagename: a wiki page name
     1.9 +        @param containername: the filename of the tar file.
    1.10 +                              Make sure this is a simple filename, NOT containing any path components.
    1.11 +                              Use wikiutil.taintfilename() to avoid somebody giving a container
    1.12 +                              name that starts with e.g. ../../filename or you'll create a
    1.13 +                              directory traversal and code execution vulnerability.
    1.14 +        """
    1.15          self.request = request
    1.16          self.pagename = pagename
    1.17          self.containername = containername
     2.1 --- a/MoinMoin/action/anywikidraw.py	Mon Dec 24 23:49:10 2012 +0100
     2.2 +++ b/MoinMoin/action/anywikidraw.py	Sat Dec 29 15:05:29 2012 +0100
     2.3 @@ -197,6 +197,8 @@
     2.4  
     2.5  def execute(pagename, request):
     2.6      target = request.values.get('target')
     2.7 +    target = wikiutil.taintfilename(target)
     2.8 +
     2.9      awd = AnyWikiDraw(request, pagename, target)
    2.10  
    2.11      do = request.values.get('do')
     3.1 --- a/MoinMoin/action/twikidraw.py	Mon Dec 24 23:49:10 2012 +0100
     3.2 +++ b/MoinMoin/action/twikidraw.py	Sat Dec 29 15:05:29 2012 +0100
     3.3 @@ -208,6 +208,8 @@
     3.4  
     3.5  def execute(pagename, request):
     3.6      target = request.values.get('target')
     3.7 +    target = wikiutil.taintfilename(target)
     3.8 +
     3.9      twd = TwikiDraw(request, pagename, target)
    3.10  
    3.11      do = request.values.get('do')