changeset 5910:7e7e1cbb9d3f

security: fix remote code execution vulnerability in twikidraw/anywikidraw actions We have wikiutil.taintfilename() to make user supplied filenames safe, so that they can't contain any "special" characters like path separators, etc. It is used at many places in moin, but wasn't used here. :|
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 29 Dec 2012 15:05:29 +0100
parents 671124d91dc1
children ef1bee86328f
files MoinMoin/action/AttachFile.py MoinMoin/action/anywikidraw.py MoinMoin/action/twikidraw.py
diffstat 3 files changed, 12 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Mon Dec 24 23:49:10 2012 +0100
+++ b/MoinMoin/action/AttachFile.py	Sat Dec 29 15:05:29 2012 +0100
@@ -603,6 +603,14 @@
     """ A storage container (multiple objects in 1 tarfile) """
 
     def __init__(self, request, pagename, containername):
+        """
+        @param pagename: a wiki page name
+        @param containername: the filename of the tar file.
+                              Make sure this is a simple filename, NOT containing any path components.
+                              Use wikiutil.taintfilename() to avoid somebody giving a container
+                              name that starts with e.g. ../../filename or you'll create a
+                              directory traversal and code execution vulnerability.
+        """
         self.request = request
         self.pagename = pagename
         self.containername = containername
--- a/MoinMoin/action/anywikidraw.py	Mon Dec 24 23:49:10 2012 +0100
+++ b/MoinMoin/action/anywikidraw.py	Sat Dec 29 15:05:29 2012 +0100
@@ -197,6 +197,8 @@
 
 def execute(pagename, request):
     target = request.values.get('target')
+    target = wikiutil.taintfilename(target)
+
     awd = AnyWikiDraw(request, pagename, target)
 
     do = request.values.get('do')
--- a/MoinMoin/action/twikidraw.py	Mon Dec 24 23:49:10 2012 +0100
+++ b/MoinMoin/action/twikidraw.py	Sat Dec 29 15:05:29 2012 +0100
@@ -208,6 +208,8 @@
 
 def execute(pagename, request):
     target = request.values.get('target')
+    target = wikiutil.taintfilename(target)
+
     twd = TwikiDraw(request, pagename, target)
 
     do = request.values.get('do')